How to consume the credentials

[cveld]

If a service requires the key, how is the refreshing set up? Your solution only tells us something about the providing side.

I guess one must implement a refresh mechanism inside the consumer. In the case for app service would this mean a forced / scheduled restart? Or is app service monitoring key vault reference refreshes and is the app workload potentially able to receive these updates without restart?

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references#rotation

If a version is not specified in the reference, then the app will use the latest version that exists in Key Vault. When newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within one day. Any configuration changes made to the app will cause an immediate update to the latest versions of all referenced secrets.

Based on this documentation, it seems that app service enforces a restart within 1 day.

[jlichwa]

App services with Key Vault references just refresh their app configuration settings once a day (without restart, downtime) which works well with this solution. With 30 days rotation for each key, application has 30 days to refresh their key after rotation.
Custom application will either need to use App Configuration service (which allows to set expiry for cached secret/key) or you will need App Pool refresh bi-weekly (to be safe), which can refresh reload all configuration settings