When using Key Vault or Secret Manager, is it assumed that the application is deployed on cloud (or) on premise? My assumption is - we use Kay vault, only if our application is getting deployed to cloud, where we need to avoid including service id password etc in the build package
Please can I ask any proof or note about Key Vault and usage scenarios
we use Kay vault, only if our application is getting deployed to cloud, where we need to avoid including service id password etc in the build package
Yes, basically correct, but if you want, you can also use keyvault when the app is deployed on-premise.
If the cloud here you mean azure web app/function, you can also use Key Vault references feature to store your secret/password/etc, it can hide your values in appsettings, it uses the MSI(managed identity) to access azure keyvault automatically.
Generally, you can store secret/key/certificate in the keyvualt, add your client to the access policy of the keyvualt, then you can use it to access the keyvault anywhere.
For more details, see - https://learn.microsoft.com/en-us/azure/key-vault/general/overview#why-use-azure-key-vault
There is no assumption about the location of the Key Vault clients and they may be in the Azure, on-premise or even in other clouds.
The advantages of using Key Vault in Azure are the security aspects
However, a Key Vault accessed from on-prem may be made more secure by the following:
Requiring the service principal to use a client certificate for access token retrieval. This eliminates the possibility of the client secret being compromised. The client certificate can also be tied to the on-prem machines by making the private key unexportable.
Setting the IP restrictions on the Key Vault.
