I'm trying to understand the integration between Azure Functions and Key Vault. In the application settings file on the portal, if I reference a KV endpoint, does the Function runtime retrieve the result once and cache it locally or does it hit the endpoint every time the config key is referenced? In other words, I'm trying to understand if any changes in KV will require the Function app to be restarted or not.
Update: Versions no longer required for Key Vault references in App Service and Azure Functions
If a version is not specified in the reference, then the app will use the latest version that exists in Key Vault. When newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within one day. Any configuration changes made to the app will cause an immediate update to the latest versions of all referenced secrets.
If you use App Service Key Vault References, you will need to update the configuration value in the Azure Portal. Restarting will not change anything. This is because you are referencing an actual secret version. If you update the secret, you will get a new version.
Versions are currently required. When rotating secrets, you will need to update the version in your application configuration
See also Azure Function App use latest version of Key Vault Secret via Application Settings