Learn the best practices for enabling an Azure container app to securely retrieve secrets from Key Vault using managed identities. Understand key vault access policies and location requirements.
Table of Contents
Question
You have an Azure subscription that contains the resources shown in the following table.
| Name | Resource group | Type | Location |
|---|---|---|---|
| app1 | RG1 | Container app | East US |
| Vault1 | RG1 | Azure Key Vault | East US |
| Vault2 | RG1 | Azure Key Vault | West US |
| Vault3 | RG2 | Azure Key Vault | East US |
You plan to use an Azure key vault to provide a secret to app1.
What should you create for app1 to access the key vault, and from which key vault can the secret be used? To answer, select the appropriate options in the answer area.
Create a:
- Managed identity
- Private endpoint
- Service principal
- User account
Use the secret from:
- Vault1 only
- Vault1 and Vault2 only
- Vault 1 and Vault3 only
- Vault1, Vault2, or Vault3
Answer
Create a: Managed identity
Use the secret from: Vault1 only
Explanation
To allow the container app “app1” to access secrets stored in an Azure Key Vault, you should:
Create a: Managed identity
A managed identity provides an automatically managed identity for app1 in Azure Active Directory (Azure AD). This is the recommended approach for authenticating to Azure services like Key Vault from an Azure resource such as a container app.
With a managed identity, you don’t have to manage credentials – Azure takes care of this for you. The managed identity can be granted access permissions to one or more key vaults.
Use the secret from: Vault1 only
The container app and accessed key vault must be in the same Azure region. Since app1 is in the East US region, it can only retrieve secrets from Vault1, which is also in East US.
Even though app1 is in the same resource group (RG1) as Vault2, it cannot access secrets in Vault2 because Vault2 is in the West US region. Resource group membership does not impact key vault access.
Vault3 cannot be accessed by app1 because it is in a different resource group (RG2), even though it is in the same region (East US).
In summary, for app1 to securely access secrets, create a managed identity and use it to retrieve secrets from Vault1. The identity will need to be granted appropriate access permissions in Vault1’s access policy.
Microsoft AZ-104 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft AZ-104 exam and earn Microsoft AZ-104 certification.