I created a consol app to access Azure key vault. To do that I put the appId and appSecret in appsettings.json file. Is this secure. I mean putting the secret of the app here to be able to use it and retrieve a keyvault content seems weird for me. But I don't find any other way to do that for desktop app. Is there any other way to be sure that the AppSecret is not copied outside of the app to be used to retrieve other secrets? Regards,
appSettings config Appsettings works fine, I can get the keyvault secrets but seems insecure for me.
This is standard "chicken and egg problem" where end of the day some sensitive value/password will be there in system which starts the entire vault/secure secret procedure.
As mentioned by you there is no full proof solution to this, but following best practice to minimize the risk of exposing sensitive content.
Practices including regular auditing, updates, encryption and managed access (minimal required access) will be the only way forward.
Hope this helps.
