1

We are planning to use azure key vault for securing database connection string other secrets e.g. Azure AD application secret and client ID.

But while fetching this values from key-vault we need to provide Azure AD client id and secret to API and we end up setting these values in application.json file.

What is best way to store secure Azure AD clientID and secret in Azure Key-vault? I know we can create separate AD Application and utilize that but I want to avoid creating new application.

arpan desai
  • 889
  • 2
  • 13
  • 23

1 Answers1

1

You are using key-vault to secure clientID/secret , like you create a key(key-vault) to access resources(clientID/secret) in a strongbox , but you need another key to use key-vault key .... That seems a infinite loop . If that app is host on azure(app service) , you could store the client ID/secret in App settings in Application settings blade of app service . The Azure Web App configurations in the cloud will be injected into the config system at runtime . You will not set the configurations in system files(web.config) and azure provides basic security protect .

Nan Yu
  • 26,101
  • 9
  • 68
  • 148
  • Yes we have thought about this approach only. Thanks. – arpan desai Jun 08 '17 at 11:33
  • 1
    I find it a highly legitimate question. It's about how to bootstrap vault integration. I was asking myself this question for quite some time. So my follow-up questions for the Azure Key VAult are: Is the "App settings" area secure enough? Can secrets be retrieved by developers/operators in plain text? Or are those settings hidden on the Portal? Can devs/ops access it via API? Can Azure operators access these app settings? And if it is all very secure, why not just use app settings a the secret store, at least for the regular use cases, e.g. where key rollover is not required? Thanks. – Bernd Jan 09 '18 at 14:47
  • While doing some more research, I found https://stackoverflow.com/a/47250164/471722. This elaborates on some options for Azure based applications. – Bernd Jan 09 '18 at 15:19