21

Is there any point in using Azure Key Vault over App Configuration?

Yes, yes, I know - they are complimentary, key vault for secrets, app config for... well, app config.

But, considering they are both encrypted, basically for someone to see either a secret or a config value they'd have to have access to your azure portal (this is a low-level bad guy scenario).

The ONLY difference I see is that you can control permissions differently between the vault and config but apart from that if someone unauthorized has access to your portal you've got bigger problems.

So - why? and please only good and real arguments no "because you should" or "because person X said so", what benefits would I reap with key vault that I don't have with app config?

Tessaract
  • 1,047
  • 7
  • 24
  • Key Vault is designed for keeping the secrets in generate which could be used by variety of reasons where app configuration is for keeping the application's configuration and settings. It is generally a good idea to keep non sensitive application settings in configuration such as endpoint locations, sizing, flags etc in the configuration which can be accessed by various people to monitor and support production system. Keyvault could be more secure place for keeping the sensitive information, encryption keys, certificates etc which needs protection. – Sujit Singh May 27 '21 at 12:46
  • App configuration is a global resource for all your web apps (KV is region focused). Zero downtime on reconfig and highest performance than KV. Also App Config is focused on distributed applications. – Juanma Feliu May 27 '21 at 13:37
  • 6
    I appreciate this question, because I believe Microsoft's articles do not address this question head-on in a comparison table. – Michael R Feb 18 '22 at 23:46

2 Answers2

14

I appreciate your question. I'd re-phrase it to this:

Q) How are are Key Vault and App Configuration designed differently supporting different purposes? And where can I find a clear comparison table of features and benefits?

I also appreciate your aside:

please only good and real arguments no "because you should" or "because person X said so", what benefits would I reap with key vault that I don't have with app config?

Here is what I found to understand benefits as a contrast:

Article 1: What is Azure App Configuration?

App Configuration complements Azure Key Vault, which is used to store application secrets. App Configuration makes it easier to implement the following scenarios:

  • Centralize management and distribution of hierarchical configuration data for different environments and geographies
  • Dynamically change application settings without the need to redeploy or restart an application
  • Control feature availability in real-time

Article 2 : Key management with Key Vault

Key management with Key Vault

Without proper protection and management of the keys, encryption is rendered useless. Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services. Permissions to access keys can be assigned to services or to users through Azure Active Directory accounts.

Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs) and key management software. When you use Key Vault, you maintain control. Microsoft never sees your keys, and applications don’t have direct access to them. You can also import or generate keys in HSMs.

Article 3: Azure Key Vault recovery management with soft delete and purge protection

Soft delete and purge protection are two different key vault recovery features.

Michael R
  • 1,547
  • 1
  • 19
  • 27
8

I think you should not neglect the fact that someone that have the configuration of your App Service can see the secrets. A developer of your company could have access a production App Service for bug investigation but it should not mean he has access to production secrets. The fact of having a single employee's laptop (with access to Azure Portal) hacked should not necessarily mean "access to every secret of your application".

But appart from (as you already know the above), what differences I see:

  • Better governance and acess monitoring : you have logs to see who try to access each secret, when and how, something you cannot do in an App Service
  • Better secret management: all secrets stored in one place, you only modify them in key vault once instead of on each app service configuration when some secrets are shared in (used by) multiple app services
  • Some advanced mechanism like recovery management and purge protection
  • Better development experience : when debugging an app, if your user has access to the keyvault he can just run the app that will load secrets from keyvault into configuration instead of manually copying secrets from azure app settings locally
TechWatching
  • 1,363
  • 1
  • 11
  • 23