What are the advantages for storing simple secrets in KeyVault over Environment variables

Question

I run a very simple nodejs web app on Azure App Services. I need to pass a secret into the app, for which I use dotenv locally. I can set these environment variables in Azure configuration Application settings. Wonder if the secrets are secure there I found I can also store them in Key Vault referencing to them in the environment variables using @Microsoft.KeyVault({referenceString}). In both places I can "unhide" the secret, so I wonder what the advantage of the one over the other is in my scenario?

Answer 1

In the Application settings, the app setting is not really hidden, as you know, simply click Show values then you can see it. Also, anyone has the read permission at your web app scope, he will always be able to check this value, not only the portal UI, but also azure powershell, cli, resource explorer, etc.

To store the it as a secret in keyvault is secure, just the one(in your case, the system-assigned identity of the web app) who has the correct permission in the Access policies can access the secret. The other people will not be able to access the secret(they are not the RBAC roles e.g. Owner, Contributor in the subscription/keyvault, otherwise they can add themselves to the Access policies).

For more details, see Secure access to a key vault.