A common challenge when building cloud applications is how to manage the credentials in your code for authenticating to cloud services. Keeping the credentials secure is an important task. Ideally, the credentials never appear on developer workstations and aren't checked into source control. Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code has to authenticate to Key Vault to retrieve them.
The solution for this problem is to avoid using credentials in your source code or application configuration files. Azure provides the following options for managing application secrets in key vault and using credential free code in applications to access these secrets securely
Managed Identities
Azure Key Vault References
Managed Identity is a feature provided by Azure AD where you can provide Azure services with an identity in AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
Internally, managed identities are service principals of a special type, which are locked to only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed. Also, when a User-Assigned or System-Assigned Identity is created, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity.
Your code can use a managed identity to request access tokens for services that support Azure AD authentication. Azure takes care of rolling the credentials that are used by the service instance.
For more information, please read the documentation.
Azure key vault references allows you to make use of credential free secret management into your existing apps (Azure app service & Azure Functions) without any code changes.
Apps hosted in App Service and Azure Functions can utilize this feature to reference a secret managed in Key Vault as part of their application settings. The app’s system-assigned identity is used to securely fetch the secret and make it available to the app as an environment variable. This means that teams can just replace existing secrets stored in app settings with references to the same secret in Key Vault, and the app will continue to operate as normal.
You can find more information about key vault references from the documentation.
Comments