Storing Function app setting as Key Vault references vs as straight values?

Question

I'm developing a function app that connects to AWS SDK via access key and secret key. Right now I'm storing them in the Application Settings as straight values.

Is there any sense for me to store them in Key Vault and put the references to them in Application Settings?

On Azure website its says about Application Settings that "These settings are stored encrypted", so will it be much more secure to store them in Key Vault?

Is it a security concern to store access keys as straight values in Application Settings?

Answer 1

AFAIK,

You can store the Confidential Settings like Access Keys, Connection Settings in 3 Places in the Azure Functions Cloud Development.

They are:

1. Azure Functions > Configuration Blade > Application Settings
2. Azure Key Vault
3. Azure App Configuration

Yes! The stored settings in both Configuration Blade and Key Vault are encrypted which means encrypted when the app is idle and decrypted when the app starts. Also, encryption and decryption keys changes regularly which prevents from Security threats.

---

Azure Key Vault:

Assume you have stored the Service Bus connection string in the Key Vault. That you want to retrieve in the Function App through Application Settings but here in the app setting you can define as:

"connection": @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/RootManageSharedAccessKey_SERVICEBUS/)

This KeyVault URI cannot be accessed by any other user until they are assigned with System or User Assigned Managed Identity Permission.

---

Azure App Configuration:

To manage application settings centrally, another best service is Azure App Configuration which complements Azure Key Vault.

You can store the Application Settings, Access Keys, Confidential Certificate Passwords in App Configuration Store and can retrieve using client library provided by Microsoft to your application. For Connecting methods to your application for different languages/frameworks, refer here and to use Azure App Configuration in Azure Functions, visit this Microsoft Doc.