You have an application that includes an Azure Web app and several Azure Function apps.
Application secrets including connection strings and certificates are stored in Azure Key Vault.
Secrets must not be stored in the application or application runtime environment.
Changes to Azure Active Directory (Azure AD) must be minimized.
You need to design the approach to loading application secrets.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Use Key Vault references for App Service and Azure Functions.
Key Vault references currently only support system-assigned managed identities.
User-assigned identities cannot be used.
https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-referencesTo design an approach for loading application secrets, it is necessary to ensure that secrets are not stored in the application or the runtime environment. Azure Key Vault is used to store secrets such as connection strings and certificates, and it provides a secure way to access secrets at runtime.
There are different ways to load application secrets from Azure Key Vault, and each option has its own advantages and limitations. Here are the options provided in the question, along with their explanations:
A. Create a single user-assigned Managed Identity with permission to access Key Vault and configure each App Service to use that Managed Identity. This option involves creating a user-assigned managed identity (UMI) that has access to the Key Vault, and then configuring each Azure Function and Web App to use that UMI to access the Key Vault. This approach centralizes the management of secrets in a single place, but it requires additional management overhead to configure and maintain the UMI and the permissions it has.
B. Create a single Azure AD Service Principal with permission to access Key Vault and use a client secret from within the App Services to access Key Vault. This option involves creating an Azure AD service principal with access to the Key Vault, and then using a client secret to authenticate to the Key Vault. This approach centralizes the management of secrets in a single place, but it requires additional management overhead to configure and maintain the service principal and the client secret.
C. Create a system assigned Managed Identity in each App Service with permission to access Key Vault. This option involves creating a system-assigned managed identity (SMI) for each Azure Function and Web App that needs to access the Key Vault. Each SMI is automatically created and managed by Azure, and it has permissions to access the Key Vault. This approach simplifies the management of secrets and does not require additional configuration, but it creates multiple identities to manage.
D. Create an Azure AD Service Principal with Permissions to access Key Vault for each App Service and use a certificate from within the App Services to access Key Vault. This option involves creating an Azure AD service principal with access to the Key Vault for each Azure Function and Web App that needs to access the Key Vault. The service principal is authenticated using a certificate that is stored within the App Service. This approach provides a secure way to authenticate to the Key Vault, but it requires additional management overhead to configure and maintain the service principal and the certificate.
Based on the requirements given in the question, option C is the best choice as it simplifies the management of secrets and does not require additional configuration beyond creating the SMIs. Option A and B could be valid choices as well, but they create additional management overhead. Option D is also a valid choice, but it requires additional management overhead to configure and maintain the service principal and the certificate. Ultimately, the best approach will depend on the specific needs and constraints of the application.