HiveBrain v1.2.0
Get Started
← Back to all entries
principleMinor

Azure - Connection String in Key Vault vs Application Settings

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
settingsapplicationvaultconnectionazurestringkey

Problem

For Azure Functions and WebJobs, is there any benefit to putting connection strings as Secrets in Key Vault instead of putting them directly in Application Settings (and referencing them using ConfigurationManager.ConnectionStrings)? Are Azure Key Vault Secrets primarily meant for VMs and such rather than Azure Functions and WebJobs?

It seems like it's just adding an extra step in both development (update the Secret in Key Vault and the Secret Identifier in Application Settings) and an extra step in runtime (an additional retrieval from Key Vault), with the only benefit being that the Secret in the Application Settings is an identifier instead of the actual Secret. I don't see the security benefit here, whereas there are detriments.

Solution

The benefits as I see them are the general reasons to use Azure Key Vault

  • Secrets are centrally stored with options for authorization, auditing, etc.



  • Azure can be scripted to update the secrets on a timer - so in case a connection string gets in to the wrong hands, it is only valid for a day (or a week, or whatever)



  • In case the secret is shared between multiple applications, you only have to update it in one place (not the greatest benefit, but still nice)

Context

StackExchange DevOps Q#3702, answer score: 9

Revisions (0)

No revisions yet.