What is the point of using Azure Key Vault instead of only App Configuration?

Question

Is there any point in using Azure Key Vault over App Configuration?

Yes, yes, I know - they are complimentary, key vault for secrets, app config for... well, app config.

But, considering they are both encrypted, basically for someone to see either a secret or a config value they'd have to have access to your azure portal (this is a low-level bad guy scenario).

The ONLY difference I see is that you can control permissions differently between the vault and config but apart from that if someone unauthorized has access to your portal you've got bigger problems.

So - why? and please only good and real arguments no "because you should" or "because person X said so", what benefits would I reap with key vault that I don't have with app config?

Answer 1

I think you should not neglect the fact that someone that have the configuration of your App Service can see the secrets. A developer of your company could have access a production App Service for bug investigation but it should not mean he has access to production secrets. The fact of having a single employee's laptop (with access to Azure Portal) hacked should not necessarily mean "access to every secret of your application".

But appart from (as you already know the above), what differences I see:

• Better governance and acess monitoring : you have logs to see who try to access each secret, when and how, something you cannot do in an App Service
• Better secret management: all secrets stored in one place, you only modify them in key vault once instead of on each app service configuration when some secrets are shared in (used by) multiple app services
• Some advanced mechanism like recovery management and purge protection
• Better development experience : when debugging an app, if your user has access to the keyvault he can just run the app that will load secrets from keyvault into configuration instead of manually copying secrets from azure app settings locally

Answer 2

1-Data stored in Azure Key Vault is encrypted (App Configuration is not)

2-If a person is associated with Contributor role, he/she can see the configurations in your App Configuration, on Key Vault, only allowed Principals.

3-You can rotate secrets stored in Azure Key Vault, and there won't be any downtime in your app (unless you're caching it on your App Service and need to restart it, in order to refresh the cache)

4-Azure Key Vault is the Microsoft recommended service to store Secrets, Keys and Certificates