Table of Contents
What permissions are needed for App Configuration to access Key Vault secrets?
Learn how to correctly configure authentication for Azure App Configuration to retrieve secrets from Azure Key Vault using managed identities. Understand the required access policies or role-based access control (RBAC) roles needed for secure secret resolution.
Question
When using Azure Key Vault references in App Configuration, the application must have a managed identity or an access policy configured to retrieve the secrets. Is this statement correct? [State True or False].
A. True
B. False
Answer
A. True
Explanation
When using Azure Key Vault references in Azure App Configuration, the application must have a managed identity (system-assigned or user-assigned) or an access policy configured in Key Vault. For more information, please refer to the “Secure app configuration data by using App Configuration or Azure Key Vault – Demo” lecture.
When Azure App Configuration uses a Key Vault reference, it is storing a pointer (the URI) to a secret in Azure Key Vault, not the secret’s value itself. For the application to receive the actual secret value, the App Configuration service must first resolve this reference by authenticating to the specified Key Vault and fetching the secret.
This interaction requires a trust relationship between the App Configuration store and the Key Vault, which is established through an identity and permission model.
Authentication and Authorization Flow
Identity for App Configuration
The App Configuration store must have its own security principal, or identity, to present to Key Vault for authentication. This is accomplished by enabling a managed identity on the App Configuration store. You can use either:
- System-assigned managed identity: An identity created and managed by Azure that is tied directly to the lifecycle of the App ‘Configuration store.
- User-assigned managed identity: A standalone Azure resource that can be created separately and assigned to one or more services, including App Configuration.
Permissions on Key Vault
Once the App Configuration store has a managed identity, that identity must be granted permission to access the secrets within the target Key Vault. This is configured on the Key Vault itself using one of two authorization models:
- Vault Access Policy: In this model, you create an access policy on the Key Vault that explicitly grants the managed identity’s principal “Get” and “List” permissions on secrets.
- Azure RBAC for Key Vault: In this newer model, you assign the managed identity an Azure role, such as Key Vault Secrets User, at the scope of the Key Vault. This role includes the necessary permissions to read secret properties and values.
Without this configured identity and the corresponding permissions on the Key Vault, the App Configuration service will receive an access denied error when it attempts to resolve the Key Vault reference, and the application will fail to retrieve the secret.
Microsoft Security Solutions Capabilities certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Security Solutions Capabilities exam and earn Microsoft Security Solutions Capabilities certificate.