7

I am doing some initial research and I am unable to find a clear answer for my problem. The plan is to have multiple environments, (i.e. Dev, Prod, and QA) would I need to have a new instance of Azure Key Vaults for each environment or would I just be able to share the data between them?

jdave
  • 845
  • 2
  • 11
  • 27

2 Answers2

9

I would rather advise to use separate Key Vault instances for the different environments. You can avoid "mixing" secrets across environments by mistake and you have clear separation. Microsoft officially recommends this approach too:

Our recommendation is to use a vault per application per environment (Development, Pre-Production and Production).

You can read more in the official documentation

Daniel Krzyczkowski
  • 2,732
  • 2
  • 20
  • 30
2

Multiple resources/entities can access a single Key Vault instance - provided they're all in the same location (data centre).

You may choose to segment your keys, secrets and certificates, either by placing them in different Key Vaults or by using different access methods/identities, however that's not necessary.

The only time you need a separate Key Vault instance is when the resources/entities accessing it are in another location (data centre/region).

It's worth noting that you don't need to worry too much about provisioning Disaster Recovery for resources using Key Vault, as the SLA Microsoft provide is unsurprisingly good: https://learn.microsoft.com/en-gb/azure/key-vault/key-vault-disaster-recovery-guidance. One caveat to that would be if you're running IaaS/PaaS instances and want to run a DR fail-over yourself to another data centre, at which point you'd need to manually migrate the keys/secrets/certificates in your main Key Vault into another instance (and re-point your VMs accordingly)

AndyHerb
  • 670
  • 9
  • 27
  • 1
    In this context, can a Key Vault of one Azure Subscription give permission to an Azure AD App of another Azure Subscription? Ex: We provide an interface to our distributed applications to interact from our Azure Subscription, while the client can manage their respective keys/secrets from their Key Vaults coming under their Azure Subscription. Is this scenario possible? – sm2mafaz Jan 12 '18 at 02:00
  • 1
    I don't think it will be possible in that example, as the two AAD Apps would need to be in the same AAD tenant, at the very least, otherwise you've got no way to set the Vault's permissions. – AndyHerb Jan 12 '18 at 07:04
  • AAD Apps are accompanied by Service Principals. If you create an Application in AAD you get a Service Principal for that Application in that AAD too. However, you can also create a Service Principal in a different AAD tenant for the same application. That is the way that an Application in one AAD tenant can be assigned permissions on resources in a separate tenant. I can't see why this wouldn't be true of Key Vault permissions, but I've not tried it. – Josh Gallagher Mar 23 '20 at 12:11