Isaac.

Azure Key Vault: Secrets Management

Store, rotate, and manage secrets securely with Azure Key Vault.

By EMEPublished: February 20, 2025
azurekey-vaultsecrets managementsecuritycloud

A Simple Analogy

Azure Key Vault is like a bank safe deposit box. You don't keep your valuables (passwords, keys, certificates) lying around; you store them in a secure, locked vault where only authorized people can access them. Azure Key Vault does this for your application secrets.

What Is Azure Key Vault?

Azure Key Vault is a cloud service that securely stores and manages secrets, keys, and certificates. It provides encryption, auditing, and access control to protect sensitive data.

Why Use Key Vault?

  • Central management: All secrets in one secure place
  • Encryption: Data encrypted at rest and in transit
  • Access control: Fine-grained permissions with RBAC
  • Auditing: Log all access attempts
  • Rotation: Automate secret rotation policies
  • Compliance: Meet regulatory requirements

Key Components

| Component | Purpose | |-----------|---------| | Secrets | Passwords, API keys, connection strings | | Keys | Cryptographic keys for encryption | | Certificates | SSL/TLS certificates |

Create and Access Secrets

Azure Portal

  1. Create Key Vault
  2. Add secret: Name = "ConnectionString", Value = "Server=..."
  3. Grant app access via RBAC

.NET Code

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

var kvUri = "https://<vault-name>.vault.azure.net";
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

// Get secret
KeyVaultSecret secret = await client.GetSecretAsync("DbPassword");
string password = secret.Value;

// Set secret
await client.SetSecretAsync("ApiKey", "new-secret-value");

ASP.NET Core Integration

var builder = WebApplication.CreateBuilder(args);

// Add Key Vault
var keyVaultUrl = "https://<vault-name>.vault.azure.net";
builder.Configuration.AddAzureKeyVault(
    new Uri(keyVaultUrl),
    new DefaultAzureCredential());

builder.Services.AddScoped<IApiClient>(sp => 
    new ApiClient(builder.Configuration["ApiKey"]));

var app = builder.Build();

Best Practices

  1. Use Managed Identity: Let Azure authenticate apps automatically
  2. Rotate secrets regularly: Set rotation policies
  3. Audit access: Enable logging and monitor access
  4. Minimal permissions: Grant only required roles
  5. Separate vaults: Dev, staging, and production vaults

Practical Example

public class DataService
{
    private readonly SecretClient _secretClient;
    
    public DataService(SecretClient secretClient)
    {
        _secretClient = secretClient;
    }
    
    public async Task<string> GetConnectionStringAsync()
    {
        var secret = await _secretClient.GetSecretAsync("SqlConnectionString");
        return secret.Value.Value;
    }
}

Related Concepts to Explore

  • Azure Managed Identity
  • Azure App Configuration (for feature flags)
  • Certificate rotation policies
  • Azure Keyvault reference in App Configuration

Summary

Azure Key Vault provides secure, centralized management of secrets, keys, and certificates. Use it to keep sensitive data out of code and configuration files, ensuring compliance and security in cloud applications.