How to configure Azure KeyVault refresh interval with the Azure.Security.KeyVault libraries

Question

I am trying to configure a periodic refresh of Key Vault values. My original code generated by Visual Studio looks like this

var keyvaultEndpoint = new Uri($"https://{vaultName}.vault.azure.net/");
config.AddAzureKeyVault(
    keyVaultEndpoint,
    new DefaultAzureCredential()
);

I found one of the extension methods accepts an object of type AzureKeyVaultConfigurationOptions which has a TimeSpan property named ReloadInterval. It turns out this extension method was a part of Microsoft's older SDK that has been replaced as discussed in this SO post. In case the post disappears, the OP encountered this error, which talks about the package "Microsoft.Azure.KeyVault" being replaced with "Azure.Security.KeyVault" and they recommend moving to the latest code. Since AzureKeyVaultConfigurationOptions is an SDK v3 object it is no longer recommended.

So if AzureKeyVaultConfigurationOptions is not included in the new SDK, what is the recommended way to set a reload interval?

Do you mean [AzureKeyVaultConfigurationOptions.ReloadInterval](https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-3.1#configuration-options) with package `Microsoft.Extensions.Configuration.AzureKeyVault`? — unknown, Sep 04 '20 at 01:44
@PamelaPeng I think you are right, I mistakenly copied the wrong class name when writing this out. I'll update now. That class is v3, not included in the SDK v4 from what I can tell. — heilch, Sep 04 '20 at 13:54

score 4 · Accepted Answer · answered Nov 10 '20 at 10:18

It is possible actually using Azure.Extensions.AspNetCore.Configuration.Secrets. (Tested with 1.0.2)

As follows:

config.AddAzureKeyVault(
    new Uri(Configuration["KeyVault:URI"]), 
    new DefaultAzureCredential(
        new DefaultAzureCredentialOptions
        {
            ExcludeSharedTokenCacheCredential = true,
            VisualStudioTenantId = Configuration["AzureAd:TenantId"]
        }), 
    new AzureKeyVaultConfigurationOptions() 
    {
        ReloadInterval = TimeSpan.FromMinutes(15)
    }
);

Thank you! It seems they added it in that 1.0.2 release – heilch Nov 10 '20 at 20:26 — heilch, Nov 10 '20 at 20:26

score 1 · Answer 2 · answered Sep 07 '20 at 02:42

As you can see in the document, ReloadInterval is only used for v3. In the version 4.x.x, there is a similar class for the delay of retry attempts.

RetryOptions class is the set of options that can be specified to influence how retry attempts are made, and a failure is eligible to be retried. Delay means the delay between retry attempts for a fixed approach. The following shows how to use it in Secret, it can also used for Certificates and Keys.

SecretClientOptions options = new SecretClientOptions()
    {
        Retry =
        {
            Delay= TimeSpan.FromSeconds(2),
            MaxDelay = TimeSpan.FromSeconds(16),
            MaxRetries = 5,
            Mode = RetryMode.Exponential
         }
    };
var client = new SecretClient(new Uri("https://<your-unique-key-vault-name>.vault.azure.net/"), new DefaultAzureCredential(),options);

KeyVaultSecret secret = client.GetSecret("mySecret");

string secretValue = secret.Value;

This seems to be when you manually fetch a secret. How would this integrate with IConfiguration, or injecting the config using IOptions? — heilch, Sep 09 '20 at 16:06
This doesn't work for refreshing the secrets periodically, rather this is setting a retry policy when a secret cannot be retrieved. — Tiamo Idzenga, Nov 10 '20 at 10:04

How to configure Azure KeyVault refresh interval with the Azure.Security.KeyVault libraries

2 Answers2

Linked