System Design (HLD)Secrets Management Tools

Secrets Management Tools

LevelAdvanced

Duration90 mins

TopicSecrets Management Tools

3 / 5

Azure Key Vault

Microsoft's Unified Secrets, Keys, and Certificates Service

Azure Key Vault takes a distinctively comprehensive approach to cloud security by unifying three critical security domains: secrets management, cryptographic key management, and certificate lifecycle management. This convergence reflects Microsoft's enterprise-focused philosophy—providing a single service that addresses the security needs of complex, hybrid organizations.

Unlike services that focus solely on secrets, Azure Key Vault positions itself as a complete cryptographic services platform. From storing database passwords to managing SSL certificates to providing encryption-as-a-service with hardware-backed keys, Key Vault serves as the cryptographic foundation for Azure workloads.

What You Will Learn

By the end of this page, you will understand Azure Key Vault's architecture, the differences between Standard and Premium tiers, how to leverage managed identities for secure access, certificate management capabilities, and integration patterns across Azure services. You'll be equipped to design Key Vault solutions for enterprise Azure deployments.

Azure Key Vault Fundamentals

Azure Key Vault manages three distinct types of cryptographic objects, each with its own API surface and management capabilities:

1. Secrets — Arbitrary strings up to 25KB (API keys, passwords, connection strings)

2. Keys — Cryptographic keys for encryption, signing, and wrapping operations

3. Certificates — X.509 certificates with private key management and lifecycle automation

This unified approach allows organizations to consolidate their cryptographic infrastructure rather than managing separate systems for each function.

Key Vault Object Types
Object Type	Use Cases	Size Limit	Operations
Secrets	Passwords, connection strings, API keys	25KB	Get, Set, Delete, List, Backup, Restore
Keys	Encryption, signing, key wrapping	RSA 2048-4096, EC P-256/384/521	Encrypt, Decrypt, Sign, Verify, Wrap, Unwrap
Certificates	TLS certificates, code signing	Based on key type	Import, Create, Renew, Policy management

Vault Architecture:

Each Key Vault is a dedicated, isolated container with its own URI and access policies. Key Vaults are regional resources but can be replicated to paired regions for disaster recovery:

Vault Name: Globally unique (e.g., mycompany-prod-kv)
Vault URI: https://{vault-name}.vault.azure.net
API Endpoints: Separate endpoints for secrets, keys, and certificates
Soft Delete: 7-90 day retention before permanent deletion (enabled by default)
Purge Protection: Optional immutability preventing early permanent deletion

Vault Isolation Strategy

Create separate Key Vaults per environment and application tier: 'prod-payments-kv', 'prod-api-kv', 'staging-payments-kv'. This provides blast radius containment, simplified access policies, and clearer cost allocation. Don't create one vault for all secrets—isolation improves security posture.

Standard vs Premium Tiers - HSM Protection

Azure Key Vault offers two service tiers that differ primarily in how cryptographic keys are protected:

Standard Tier:

Keys protected by software in hardened, FIPS 140-2 Level 1 validated modules
Suitable for most applications
Lower cost per operation

Premium Tier:

Keys protected by FIPS 140-2 Level 3 validated Hardware Security Modules (HSMs)
Required for strict compliance (PCI DSS, HIPAA, FedRAMP High)
Keys never leave the HSM boundary

Tier Comparison
Aspect	Standard	Premium
Key Protection	Software (FIPS 140-2 Level 1)	HSM (FIPS 140-2 Level 3)
Secret Storage	Software encryption	Software encryption
Certificate Storage	Software protection	HSM for private keys (optional)
Compliance	SOC, ISO, HIPAA	PCI DSS, FedRAMP High, HIPAA
Pricing (secrets)	$0.03/10K operations	$0.03/10K operations
Pricing (HSM keys)	N/A	$1/key/month + ops
Key Operations	$0.03/10K	$0.03/10K (software) / $0.15/10K (HSM)

Choosing the Right Tier:

Use Standard When

•Storing application secrets (passwords, API keys)
•Software-protected encryption keys are acceptable
•No specific HSM compliance requirements
•Cost optimization is a priority
•Development and testing environments

Use Premium When

•Regulatory compliance requires HSM protection
•PCI DSS scope includes cryptographic keys
•You need Bring Your Own Key (BYOK) capability
•Financial or healthcare applications
•Production systems handling sensitive data

Secrets Are Always Software-Protected

Even in Premium tier, secrets (text strings) are software-protected. HSM protection only applies to cryptographic keys. If you store a secret and then use an HSM key to add another layer of encryption, that's your application's responsibility. Key Vault's Premium tier doesn't automatically HSM-protect secrets.

Access Control Models

Azure Key Vault historically offered Vault Access Policies and has since introduced Azure RBAC as the recommended access control model. Understanding both is essential as existing deployments may use either.

Azure RBAC (Role-Based Access Control) - Recommended:

Uses Azure's native RBAC system with built-in and custom roles assigned at the vault, secret, key, or certificate level.

Access Control Configuration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Create a Key Vault with RBAC authorization
az keyvault create \
    --name "prod-myapp-kv" \
    --resource-group "rg-myapp" \
    --location "eastus" \
    --enable-rbac-authorization true \
    --enable-soft-delete true \
    --retention-days 90 \
    --enable-purge-protection true
 
# Assign built-in roles
 
# Key Vault Administrator - Full management
az role assignment create \
    --role "Key Vault Administrator" \
    --assignee "admin@company.com" \
    --scope "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.KeyVault/vaults/prod-myapp-kv"
 
# Key Vault Secrets User - Read secrets only
az role assignment create \
    --role "Key Vault Secrets User" \
    --assignee "8a5c1234-5678-90ab-cdef-1234567890ab" \  # App's managed identity
    --scope "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.KeyVault/vaults/prod-myapp-kv"
 
# Key Vault Crypto User - Cryptographic operations only
az role assignment create \
    --role "Key Vault Crypto User" \
    --assignee "service-principal-id" \
    --scope "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.KeyVault/vaults/prod-myapp-kv/keys/encryption-key"
 
# Built-in Key Vault roles:
# - Key Vault Administrator: Full access to all objects
# - Key Vault Reader: Read vault metadata only
# - Key Vault Secrets Officer: Manage secrets (CRUD)
# - Key Vault Secrets User: Read secrets
# - Key Vault Crypto Officer: Manage keys (CRUD)
# - Key Vault Crypto User: Perform crypto operations
# - Key Vault Certificates Officer: Manage certificates (CRUD)

RBAC vs Access Policies Comparison:

Access Control Model Comparison
Aspect	Vault Access Policies	Azure RBAC
Granularity	Vault level only	Vault, individual secret/key/cert level
Inheritance	None	Inherits from resource group/subscription
Condition Support	No	Yes (attribute-based conditions)
Azure Integration	Key Vault specific	Unified with all Azure resources
Audit	Key Vault logs only	Azure Activity Log + Key Vault logs
Maximum policies	1024 per vault	Unlimited via role assignments

Migrate to Azure RBAC

For new deployments, always use Azure RBAC. For existing vaults with access policies, plan migration to RBAC for better granularity, unified management, and conditional access support. Note that you cannot use both models simultaneously on the same vault.

Managed Identities - The Azure Way

Managed identities represent Azure's solution to the credential bootstrapping problem—how do applications authenticate to Key Vault without having a secret to get secrets? Managed identities provide an automatically managed identity in Azure AD that applications can use to authenticate.

Types of Managed Identities:

System-Assigned — Tied to a specific Azure resource; deleted when resource is deleted
User-Assigned — Independent resource that can be assigned to multiple resources; lifecycle managed separately

Managed Identity Setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# Enable system-assigned managed identity on an App Service
az webapp identity assign \
    --name "mywebapp" \
    --resource-group "rg-myapp"
 
# Output includes the principal ID
# {
#   "principalId": "8a5c1234-5678-90ab-cdef-1234567890ab",
#   "tenantId": "12345678-1234-1234-1234-123456789012",
#   "type": "SystemAssigned"
# }
 
# Grant the managed identity access to Key Vault
az role assignment create \
    --role "Key Vault Secrets User" \
    --assignee "8a5c1234-5678-90ab-cdef-1234567890ab" \
    --scope "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.KeyVault/vaults/prod-myapp-kv"
 
# Create a user-assigned managed identity (reusable across resources)
az identity create \
    --name "myapp-identity" \
    --resource-group "rg-myapp" \
    --location "eastus"
 
# Assign to multiple resources
az vm identity assign \
    --name "myvm" \
    --resource-group "rg-myapp" \
    --identities "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myapp-identity"
 
az aks update \
    --name "myaks" \
    --resource-group "rg-myapp" \
    --assign-identity "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myapp-identity"

DefaultAzureCredential Chain

DefaultAzureCredential tries multiple authentication methods in order: environment variables, managed identity, Azure CLI, Visual Studio, and more. This enables the same code to work in development (using your Azure CLI login) and production (using managed identity) without any changes.

Certificate Management

Azure Key Vault's certificate management capabilities distinguish it from many competitors. Beyond simple storage, Key Vault can manage the entire certificate lifecycle including automatic renewal with integrated Certificate Authorities.

Certificate Capabilities:

Certificate Features

•Integrated CAs — Direct integration with DigiCert and GlobalSign for automatic certificate issuance and renewal
•Self-Signed Certificates — Generate self-signed certificates for development and internal services
•Certificate Import — Import existing PFX/PEM certificates with private keys
•Automatic Renewal — Configure certificates to auto-renew before expiration
•Version History — Track certificate versions; roll back if needed
•Private Key Protection — Store private keys HSM-protected (Premium tier)

Certificate Operations
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Create a self-signed certificate
az keyvault certificate create \
    --vault-name "prod-myapp-kv" \
    --name "myapp-tls-cert" \
    --policy "$(az keyvault certificate get-default-policy)"
 
# Create certificate with custom policy
cat > cert-policy.json << 'EOF'
{
  "issuerParameters": {
    "name": "Self"
  },
  "keyProperties": {
    "exportable": true,
    "keySize": 4096,
    "keyType": "RSA",
    "reuseKey": false
  },
  "secretProperties": {
    "contentType": "application/x-pkcs12"
  },
  "x509CertificateProperties": {
    "keyUsage": ["digitalSignature", "keyEncipherment"],
    "subject": "CN=myapp.example.com",
    "subjectAlternativeNames": {
      "dnsNames": ["myapp.example.com", "api.myapp.example.com"]
    },
    "validityInMonths": 12
  },
  "lifetimeActions": [
    {
      "action": { "actionType": "AutoRenew" },
      "trigger": { "daysBeforeExpiry": 30 }
    }
  ]
}
EOF
 
az keyvault certificate create \
    --vault-name "prod-myapp-kv" \
    --name "myapp-tls-cert" \
    --policy @cert-policy.json
 
# Import an existing certificate
az keyvault certificate import \
    --vault-name "prod-myapp-kv" \
    --name "imported-cert" \
    --file "certificate.pfx" \
    --password "pfx-password"
 
# Configure integrated CA (DigiCert example)
az keyvault certificate issuer create \
    --vault-name "prod-myapp-kv" \
    --issuer-name "DigiCertCA" \
    --provider-name "DigiCert" \
    --account-id "DigiCert-Account-ID" \
    --password "DigiCert-API-Key"
 
# Create certificate from integrated CA
az keyvault certificate create \
    --vault-name "prod-myapp-kv" \
    --name "public-cert" \
    --policy "$(cat ca-cert-policy.json)"  # Policy with issuer set to DigiCertCA

App Service Certificate Integration

For App Service TLS certificates, use App Service Certificates feature which integrates with Key Vault. Certificates stored in Key Vault are automatically available to App Services in the same subscription with proper RBAC. Configure App Service to reference Key Vault certificate by secret URI.

Azure Service Integrations

Key Vault integrates deeply with Azure services, enabling secrets injection, encryption key references, and certificate usage without managing credentials in application code.

Service Integration Examples
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
// App Service configuration - appsettings linked to Key Vault
{
  "properties": {
    "siteConfig": {
      "appSettings": [
        {
          "name": "DatabaseConnectionString",
          "value": "@Microsoft.KeyVault(VaultName=prod-myapp-kv;SecretName=db-connection-string)"
        },
        {
          "name": "ApiKey",
          "value": "@Microsoft.KeyVault(SecretUri=https://prod-myapp-kv.vault.azure.net/secrets/api-key/)"
        },
        {
          "name": "ApiKeyWithVersion",
          "value": "@Microsoft.KeyVault(SecretUri=https://prod-myapp-kv.vault.azure.net/secrets/api-key/abc123version)"
        }
      ]
    }
  }
}
 
// App Service must have:
// 1. System-assigned managed identity enabled
// 2. Key Vault Secrets User role on the vault
// 3. Key Vault firewall allowing App Service access (or private endpoint)
 
// Azure CLI setup:
// az webapp config appsettings set --name mywebapp --resource-group rg-myapp \
//   --settings "DatabaseConnectionString=@Microsoft.KeyVault(VaultName=prod-myapp-kv;SecretName=db-connection-string)"

Private Endpoints for Network Isolation

For production workloads, configure Key Vault with private endpoints. This ensures traffic between your Azure resources and Key Vault traverses the Azure backbone network rather than the public internet. Combine with service endpoints or firewall rules to deny public access entirely.

Backup, Recovery, and Disaster Recovery

Azure Key Vault provides multiple mechanisms for data protection and disaster recovery. Understanding these capabilities is essential for designing resilient secrets infrastructure.

Built-in Protection:

Protection Mechanisms

•Soft Delete — Deleted vaults and objects retained for 7-90 days; recoverable during retention period
•Purge Protection — Prevents permanent deletion during retention period; cannot be disabled once enabled
•Automatic Geo-Replication — Vault contents replicated to Azure paired region (read-only during failover)
•Object Versioning — Previous versions of secrets, keys, and certificates retained

Backup and Recovery
Azure CLI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Enable soft delete and purge protection (required for production)
az keyvault update \
    --name "prod-myapp-kv" \
    --enable-soft-delete true \
    --retention-days 90 \
    --enable-purge-protection true
 
# Backup individual secrets (encrypted blob)
az keyvault secret backup \
    --vault-name "prod-myapp-kv" \
    --name "database-password" \
    --file "database-password.backup"
 
# Backup a key
az keyvault key backup \
    --vault-name "prod-myapp-kv" \
    --name "encryption-key" \
    --file "encryption-key.backup"
 
# Backup a certificate
az keyvault certificate backup \
    --vault-name "prod-myapp-kv" \
    --name "tls-cert" \
    --file "tls-cert.backup"
 
# Restore to same or different vault (same tenant only!)
az keyvault secret restore \
    --vault-name "recovery-vault" \
    --file "database-password.backup"
 
# Recover soft-deleted vault
az keyvault recover --name "deleted-vault" --location "eastus"
 
# Recover soft-deleted secret
az keyvault secret recover \
    --vault-name "prod-myapp-kv" \
    --name "accidentally-deleted-secret"
 
# List deleted vaults and secrets
az keyvault list-deleted
az keyvault secret list-deleted --vault-name "prod-myapp-kv"
 
# Purge (permanently delete) - only if purge protection not enabled
az keyvault secret purge --vault-name "prod-myapp-kv" --name "old-secret"

Disaster Recovery Strategy:

DR Options
Scenario	Mechanism	RTO/RPO
Accidental deletion	Soft delete recovery	Minutes / 0 data loss
Region outage	Automatic paired region failover	Minutes / Near 0
Tenant/subscription loss	Backup restoration to new tenant	Hours / Last backup
Ransomware/corruption	Purge protection + versioning	Minutes / 0 data loss

Backup Limitations

Key Vault backups can only be restored to vaults in the same Azure subscription AND geographic region. For cross-region or cross-subscription disaster recovery, you must maintain secrets in multiple vaults. Backup files are encrypted and tied to the source Azure AD tenant.

Summary: Azure Key Vault Mastery

Azure Key Vault provides a comprehensive platform for secrets, keys, and certificates management within the Azure ecosystem. Let's consolidate the key concepts:

Key Takeaways

•Unified platform — Secrets, cryptographic keys, and certificates in a single service with consistent management
•HSM protection available — Premium tier offers FIPS 140-2 Level 3 HSM for keys meeting strict compliance requirements
•Azure RBAC preferred — Modern access control with granularity down to individual secrets; migrate from legacy access policies
•Managed identities eliminate credentials — System-assigned or user-assigned identities provide credential-free authentication
•Certificate lifecycle management — Integrated CAs, automatic renewal, and version tracking for complete certificate automation
•Deep Azure integration — Native support in App Service, Functions, AKS, and more through reference syntax and CSI drivers
•Robust DR capabilities — Soft delete, purge protection, and geo-replication protect against accidental and regional failures

What's Next:

Having explored Azure Key Vault, the next page examines Kubernetes Secrets—the built-in secrets management for Kubernetes clusters. You'll learn about native K8s secrets, their limitations, and how to enhance security with external secrets operators and sealed secrets.

Page Complete

You now have a comprehensive understanding of Azure Key Vault's architecture, access control models, managed identities, certificate management, and disaster recovery capabilities. This knowledge enables you to design secure secrets infrastructure for Azure-centric workloads.

3 / 5

Loading learning content...

System Design (HLD)Secrets Management Tools

Secrets Management Tools

LevelAdvanced

Duration90 mins

TopicSecrets Management Tools

3 / 5

Azure Key Vault

Microsoft's Unified Secrets, Keys, and Certificates Service

What You Will Learn

Azure Key Vault Fundamentals

Azure Key Vault manages three distinct types of cryptographic objects, each with its own API surface and management capabilities:

1. Secrets — Arbitrary strings up to 25KB (API keys, passwords, connection strings)

2. Keys — Cryptographic keys for encryption, signing, and wrapping operations

3. Certificates — X.509 certificates with private key management and lifecycle automation

This unified approach allows organizations to consolidate their cryptographic infrastructure rather than managing separate systems for each function.

Key Vault Object Types
Object Type	Use Cases	Size Limit	Operations
Secrets	Passwords, connection strings, API keys	25KB	Get, Set, Delete, List, Backup, Restore
Keys	Encryption, signing, key wrapping	RSA 2048-4096, EC P-256/384/521	Encrypt, Decrypt, Sign, Verify, Wrap, Unwrap
Certificates	TLS certificates, code signing	Based on key type	Import, Create, Renew, Policy management

Vault Architecture:

Each Key Vault is a dedicated, isolated container with its own URI and access policies. Key Vaults are regional resources but can be replicated to paired regions for disaster recovery:

Vault Name: Globally unique (e.g., mycompany-prod-kv)
Vault URI: https://{vault-name}.vault.azure.net
API Endpoints: Separate endpoints for secrets, keys, and certificates
Soft Delete: 7-90 day retention before permanent deletion (enabled by default)
Purge Protection: Optional immutability preventing early permanent deletion

Vault Isolation Strategy

Standard vs Premium Tiers - HSM Protection

Azure Key Vault offers two service tiers that differ primarily in how cryptographic keys are protected:

Standard Tier:

Keys protected by software in hardened, FIPS 140-2 Level 1 validated modules
Suitable for most applications
Lower cost per operation

Premium Tier:

Keys protected by FIPS 140-2 Level 3 validated Hardware Security Modules (HSMs)
Required for strict compliance (PCI DSS, HIPAA, FedRAMP High)
Keys never leave the HSM boundary

Tier Comparison
Aspect	Standard	Premium
Key Protection	Software (FIPS 140-2 Level 1)	HSM (FIPS 140-2 Level 3)
Secret Storage	Software encryption	Software encryption
Certificate Storage	Software protection	HSM for private keys (optional)
Compliance	SOC, ISO, HIPAA	PCI DSS, FedRAMP High, HIPAA
Pricing (secrets)	$0.03/10K operations	$0.03/10K operations
Pricing (HSM keys)	N/A	$1/key/month + ops
Key Operations	$0.03/10K	$0.03/10K (software) / $0.15/10K (HSM)

Choosing the Right Tier:

Use Standard When

•Storing application secrets (passwords, API keys)
•Software-protected encryption keys are acceptable
•No specific HSM compliance requirements
•Cost optimization is a priority
•Development and testing environments

Use Premium When

•Regulatory compliance requires HSM protection
•PCI DSS scope includes cryptographic keys
•You need Bring Your Own Key (BYOK) capability
•Financial or healthcare applications
•Production systems handling sensitive data

Secrets Are Always Software-Protected

Access Control Models

Azure RBAC (Role-Based Access Control) - Recommended:

Uses Azure's native RBAC system with built-in and custom roles assigned at the vault, secret, key, or certificate level.

Access Control Configuration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Create a Key Vault with RBAC authorization
az keyvault create \
    --name "prod-myapp-kv" \
    --resource-group "rg-myapp" \
    --location "eastus" \
    --enable-rbac-authorization true \
    --enable-soft-delete true \
    --retention-days 90 \
    --enable-purge-protection true
 
# Assign built-in roles
 
# Key Vault Administrator - Full management
az role assignment create \
    --role "Key Vault Administrator" \
    --assignee "admin@company.com" \
    --scope "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.KeyVault/vaults/prod-myapp-kv"
 
# Key Vault Secrets User - Read secrets only
az role assignment create \
    --role "Key Vault Secrets User" \
    --assignee "8a5c1234-5678-90ab-cdef-1234567890ab" \  # App's managed identity
    --scope "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.KeyVault/vaults/prod-myapp-kv"
 
# Key Vault Crypto User - Cryptographic operations only
az role assignment create \
    --role "Key Vault Crypto User" \
    --assignee "service-principal-id" \
    --scope "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.KeyVault/vaults/prod-myapp-kv/keys/encryption-key"
 
# Built-in Key Vault roles:
# - Key Vault Administrator: Full access to all objects
# - Key Vault Reader: Read vault metadata only
# - Key Vault Secrets Officer: Manage secrets (CRUD)
# - Key Vault Secrets User: Read secrets
# - Key Vault Crypto Officer: Manage keys (CRUD)
# - Key Vault Crypto User: Perform crypto operations
# - Key Vault Certificates Officer: Manage certificates (CRUD)

RBAC vs Access Policies Comparison:

Access Control Model Comparison
Aspect	Vault Access Policies	Azure RBAC
Granularity	Vault level only	Vault, individual secret/key/cert level
Inheritance	None	Inherits from resource group/subscription
Condition Support	No	Yes (attribute-based conditions)
Azure Integration	Key Vault specific	Unified with all Azure resources
Audit	Key Vault logs only	Azure Activity Log + Key Vault logs
Maximum policies	1024 per vault	Unlimited via role assignments

Migrate to Azure RBAC

Managed Identities - The Azure Way

Types of Managed Identities:

System-Assigned — Tied to a specific Azure resource; deleted when resource is deleted
User-Assigned — Independent resource that can be assigned to multiple resources; lifecycle managed separately

Managed Identity Setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# Enable system-assigned managed identity on an App Service
az webapp identity assign \
    --name "mywebapp" \
    --resource-group "rg-myapp"
 
# Output includes the principal ID
# {
#   "principalId": "8a5c1234-5678-90ab-cdef-1234567890ab",
#   "tenantId": "12345678-1234-1234-1234-123456789012",
#   "type": "SystemAssigned"
# }
 
# Grant the managed identity access to Key Vault
az role assignment create \
    --role "Key Vault Secrets User" \
    --assignee "8a5c1234-5678-90ab-cdef-1234567890ab" \
    --scope "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.KeyVault/vaults/prod-myapp-kv"
 
# Create a user-assigned managed identity (reusable across resources)
az identity create \
    --name "myapp-identity" \
    --resource-group "rg-myapp" \
    --location "eastus"
 
# Assign to multiple resources
az vm identity assign \
    --name "myvm" \
    --resource-group "rg-myapp" \
    --identities "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myapp-identity"
 
az aks update \
    --name "myaks" \
    --resource-group "rg-myapp" \
    --assign-identity "/subscriptions/{sub}/resourceGroups/rg-myapp/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myapp-identity"

DefaultAzureCredential Chain

Certificate Management

Certificate Capabilities:

Certificate Features

•Integrated CAs — Direct integration with DigiCert and GlobalSign for automatic certificate issuance and renewal
•Self-Signed Certificates — Generate self-signed certificates for development and internal services
•Certificate Import — Import existing PFX/PEM certificates with private keys
•Automatic Renewal — Configure certificates to auto-renew before expiration
•Version History — Track certificate versions; roll back if needed
•Private Key Protection — Store private keys HSM-protected (Premium tier)

Certificate Operations
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Create a self-signed certificate
az keyvault certificate create \
    --vault-name "prod-myapp-kv" \
    --name "myapp-tls-cert" \
    --policy "$(az keyvault certificate get-default-policy)"
 
# Create certificate with custom policy
cat > cert-policy.json << 'EOF'
{
  "issuerParameters": {
    "name": "Self"
  },
  "keyProperties": {
    "exportable": true,
    "keySize": 4096,
    "keyType": "RSA",
    "reuseKey": false
  },
  "secretProperties": {
    "contentType": "application/x-pkcs12"
  },
  "x509CertificateProperties": {
    "keyUsage": ["digitalSignature", "keyEncipherment"],
    "subject": "CN=myapp.example.com",
    "subjectAlternativeNames": {
      "dnsNames": ["myapp.example.com", "api.myapp.example.com"]
    },
    "validityInMonths": 12
  },
  "lifetimeActions": [
    {
      "action": { "actionType": "AutoRenew" },
      "trigger": { "daysBeforeExpiry": 30 }
    }
  ]
}
EOF
 
az keyvault certificate create \
    --vault-name "prod-myapp-kv" \
    --name "myapp-tls-cert" \
    --policy @cert-policy.json
 
# Import an existing certificate
az keyvault certificate import \
    --vault-name "prod-myapp-kv" \
    --name "imported-cert" \
    --file "certificate.pfx" \
    --password "pfx-password"
 
# Configure integrated CA (DigiCert example)
az keyvault certificate issuer create \
    --vault-name "prod-myapp-kv" \
    --issuer-name "DigiCertCA" \
    --provider-name "DigiCert" \
    --account-id "DigiCert-Account-ID" \
    --password "DigiCert-API-Key"
 
# Create certificate from integrated CA
az keyvault certificate create \
    --vault-name "prod-myapp-kv" \
    --name "public-cert" \
    --policy "$(cat ca-cert-policy.json)"  # Policy with issuer set to DigiCertCA

App Service Certificate Integration

Azure Service Integrations

Key Vault integrates deeply with Azure services, enabling secrets injection, encryption key references, and certificate usage without managing credentials in application code.

Service Integration Examples
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
// App Service configuration - appsettings linked to Key Vault
{
  "properties": {
    "siteConfig": {
      "appSettings": [
        {
          "name": "DatabaseConnectionString",
          "value": "@Microsoft.KeyVault(VaultName=prod-myapp-kv;SecretName=db-connection-string)"
        },
        {
          "name": "ApiKey",
          "value": "@Microsoft.KeyVault(SecretUri=https://prod-myapp-kv.vault.azure.net/secrets/api-key/)"
        },
        {
          "name": "ApiKeyWithVersion",
          "value": "@Microsoft.KeyVault(SecretUri=https://prod-myapp-kv.vault.azure.net/secrets/api-key/abc123version)"
        }
      ]
    }
  }
}
 
// App Service must have:
// 1. System-assigned managed identity enabled
// 2. Key Vault Secrets User role on the vault
// 3. Key Vault firewall allowing App Service access (or private endpoint)
 
// Azure CLI setup:
// az webapp config appsettings set --name mywebapp --resource-group rg-myapp \
//   --settings "DatabaseConnectionString=@Microsoft.KeyVault(VaultName=prod-myapp-kv;SecretName=db-connection-string)"

Private Endpoints for Network Isolation

Backup, Recovery, and Disaster Recovery

Azure Key Vault provides multiple mechanisms for data protection and disaster recovery. Understanding these capabilities is essential for designing resilient secrets infrastructure.

Built-in Protection:

Protection Mechanisms

•Soft Delete — Deleted vaults and objects retained for 7-90 days; recoverable during retention period
•Purge Protection — Prevents permanent deletion during retention period; cannot be disabled once enabled
•Automatic Geo-Replication — Vault contents replicated to Azure paired region (read-only during failover)
•Object Versioning — Previous versions of secrets, keys, and certificates retained

Backup and Recovery
Azure CLI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Enable soft delete and purge protection (required for production)
az keyvault update \
    --name "prod-myapp-kv" \
    --enable-soft-delete true \
    --retention-days 90 \
    --enable-purge-protection true
 
# Backup individual secrets (encrypted blob)
az keyvault secret backup \
    --vault-name "prod-myapp-kv" \
    --name "database-password" \
    --file "database-password.backup"
 
# Backup a key
az keyvault key backup \
    --vault-name "prod-myapp-kv" \
    --name "encryption-key" \
    --file "encryption-key.backup"
 
# Backup a certificate
az keyvault certificate backup \
    --vault-name "prod-myapp-kv" \
    --name "tls-cert" \
    --file "tls-cert.backup"
 
# Restore to same or different vault (same tenant only!)
az keyvault secret restore \
    --vault-name "recovery-vault" \
    --file "database-password.backup"
 
# Recover soft-deleted vault
az keyvault recover --name "deleted-vault" --location "eastus"
 
# Recover soft-deleted secret
az keyvault secret recover \
    --vault-name "prod-myapp-kv" \
    --name "accidentally-deleted-secret"
 
# List deleted vaults and secrets
az keyvault list-deleted
az keyvault secret list-deleted --vault-name "prod-myapp-kv"
 
# Purge (permanently delete) - only if purge protection not enabled
az keyvault secret purge --vault-name "prod-myapp-kv" --name "old-secret"

Disaster Recovery Strategy:

DR Options
Scenario	Mechanism	RTO/RPO
Accidental deletion	Soft delete recovery	Minutes / 0 data loss
Region outage	Automatic paired region failover	Minutes / Near 0
Tenant/subscription loss	Backup restoration to new tenant	Hours / Last backup
Ransomware/corruption	Purge protection + versioning	Minutes / 0 data loss

Backup Limitations

Summary: Azure Key Vault Mastery

Azure Key Vault provides a comprehensive platform for secrets, keys, and certificates management within the Azure ecosystem. Let's consolidate the key concepts:

Key Takeaways

•Unified platform — Secrets, cryptographic keys, and certificates in a single service with consistent management
•HSM protection available — Premium tier offers FIPS 140-2 Level 3 HSM for keys meeting strict compliance requirements
•Azure RBAC preferred — Modern access control with granularity down to individual secrets; migrate from legacy access policies
•Managed identities eliminate credentials — System-assigned or user-assigned identities provide credential-free authentication
•Certificate lifecycle management — Integrated CAs, automatic renewal, and version tracking for complete certificate automation
•Deep Azure integration — Native support in App Service, Functions, AKS, and more through reference syntax and CSI drivers
•Robust DR capabilities — Soft delete, purge protection, and geo-replication protect against accidental and regional failures

What's Next:

Page Complete

3 / 5