Azure Key Vault – Gaining the Azure Data Engineer Associate Certification
It is unfortunately very common to store passwords and connection strings within application code. Sometimes they are stored in a configuration file along with the coded application. Even if the password or connection string is encrypted, it can still be compromised. This is because anyone with administrative access to the machine that decrypts the credential can also decrypt it. The solution to this is Azure Key Vault (AKV), which is a place to store secrets, keys, and certificates.
A secret is the place to store things like tokens, passwords, or API keys. A key is a tool that can generate and store highly sophisticated encryption keys used for encrypting your data. Certificates are Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with your Azure web‐accessible hosted resources. The most common and most secure procedure for attaining access to the information stored within the AKV is by using an MI. An application that historically used a connection string existing within a configuration file would have code that accesses and uses the value in that file. That code would need to be changed to access an AKV instead. The resource running the code—for example an Azure Function, Azure App Services Web App, or an Azure VM—would need an MI that is authenticated and authorized against the AKV. Notice in Figure 1.26 that there is a system‐assigned identity configured for an Azure App Service. A user‐assigned identity can be used across multiple resources, whereas a system‐assigned identity is restricted to a single resource.
FIGURE 1.26 Azure App Service Managed Identity
Figure 1.27 illustrates the application resource in Azure Active Directory. You would see the same on the Enterprise applications blade.
And finally, Figure 1.28 shows the granted permission to an AKV for the MI.
AKV is the go‐forward solution for storing secrets, keys, and certificates. You should know this product very well.
FIGURE 1.27 Azure Managed Identity in Azure Active Directory
FIGURE 1.28 Azure Managed Identity in Azure Key Vault
Other Products
Security is very important. Here are some additional security‐related Azure products and features you should know about.
It is unfortunately very common to store passwords and connection strings within application code. Sometimes they are stored in a configuration file along with the coded application. Even if the password or connection string is encrypted, it can still be compromised. This is because anyone with administrative access to the machine that decrypts the credential…
