For Azure Key Vault, where should I store the tenantId, clientId and clientSecret?

Question

I am using Azure Key Vault to store my connection strings. The application that needs them is just a C# console application that will run in an Azure VM. The problem is, I am unsure what the best practice is for storing the tenantId, clientId and clientSecret. Should they be compiled in the code? Should they be put in the app.config file? Should they be put in the environment variables? Should they be encrypted? Or is plain text for these fine?

Answer 1

Once you have assigned a managed identity to the virtual machine in Azure, you simply need the Azure KeyVault URL, without the need for a client id and client secret.

Keep in mind that you need to authorize the VM's identity to read from Key Vault.

Reference

Answer 2

If you would like to store the properties on your VM, you could use deployed service authentication(eg.Environment Variables, Managed Identity). Refer to here.

Managed identity is the most secure and recommended option for authenticating within Azure, see here. You could use managed identities to access App Configuration.

A service principal is a type of security principal that identities an application or service, which is to say, a piece of code rather than a user or group. A service principal's object ID is known as its client ID and acts like its username. The service principal's client secret or certificate acts like its password. Many Azure Services supports assigning Managed Identity with automated management of client ID and certificate. Managed identity is the most secure and recommended option for authenticating within Azure.