Storing items in Azure Key Vaults vs a Configuration File

Question

Looking for guidance on what items to store in a simple configuration file versus an Azure Key Vault?

For example, an SQL Database name should be stored in a configuration file while its password should be stored in a KeyVault. Is this correct?

Should there be a key vault for each environment (I think not) or simply one for production and one for non-production?

Answer 1

Anything that should be protected (passwords, certs, API keys, etc..) should be in a Key Vault and have strict access policies assigned to it.

Agree with Hury on the first half; however, disagree on the one key vault for all environments. Different access policies will be applied for different environments.

Your developers may want access to the Key Vault for the dev credentials. As such they'd have an access policy to the dev Key Vault. I would not want to grant them access to a production Key Vault, which would give them access to all the keys in it.

Key Vault is a globally available resource. So if you have multiple instances in different regions connecting that is fine as you wouldn't need to have a separate Key Vault in a different region from a disaster recovery and availability standpoint.

Here is a similar quesiton and also link to Microsoft best practices which supports this

Answer 2

Yes, you can just store the password of SQL Database in azure key vault and store the database name in configuration file, or we can store the whole connection string of the database in azure key vault.

For your second question about should there be a key vault for each environment, I think it's unnecessary for us to create multiple key vault for each environment, you can just separate them with several different names in one key vault.