Search code examples
azureconfiguration-managementkey-management

What is the point of using Azure Key Vault instead of only App Configuration?

Is there any point in using Azure Key Vault over App Configuration?

Yes, yes, I know - they are complimentary, key vault for secrets, app config for... well, app config.

But, considering they are both encrypted, basically for someone to see either a secret or a config value they'd have to have access to your azure portal (this is a low-level bad guy scenario).

The ONLY difference I see is that you can control permissions differently between the vault and config but apart from that if someone unauthorized has access to your portal you've got bigger problems.

So - why? and please only good and real arguments no "because you should" or "because person X said so", what benefits would I reap with key vault that I don't have with app config?

Solution

  • I appreciate your question. I'd re-phrase it to this:

    Q) How are are Key Vault and App Configuration designed differently supporting different purposes? And where can I find a clear comparison table of features and benefits?

    I also appreciate your aside:

    please only good and real arguments no "because you should" or "because person X said so", what benefits would I reap with key vault that I don't have with app config?

    Here is what I found to understand benefits as a contrast:

    Article 1: What is Azure App Configuration?

    App Configuration complements Azure Key Vault, which is used to store application secrets. App Configuration makes it easier to implement the following scenarios:

    • Centralize management and distribution of hierarchical configuration data for different environments and geographies
    • Dynamically change application settings without the need to redeploy or restart an application
    • Control feature availability in real-time

    Article 2 : Key management with Key Vault

    Key management with Key Vault

    Without proper protection and management of the keys, encryption is rendered useless. Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services. Permissions to access keys can be assigned to services or to users through Azure Active Directory accounts.

    Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs) and key management software. When you use Key Vault, you maintain control. Microsoft never sees your keys, and applications don’t have direct access to them. You can also import or generate keys in HSMs.

    Article 3: Azure Key Vault recovery management with soft delete and purge protection

    Soft delete and purge protection are two different key vault recovery features.