What is the point of using Azure Key Vault instead of only App Configuration?

Question

Is there any point in using Azure Key Vault over App Configuration?

Yes, yes, I know - they are complimentary, key vault for secrets, app config for... well, app config.

But, considering they are both encrypted, basically for someone to see either a secret or a config value they'd have to have access to your azure portal (this is a low-level bad guy scenario).

The ONLY difference I see is that you can control permissions differently between the vault and config but apart from that if someone unauthorized has access to your portal you've got bigger problems.

So - why? and please only good and real arguments no "because you should" or "because person X said so", what benefits would I reap with key vault that I don't have with app config?

Answer 1

I appreciate your question. I'd re-phrase it to this:

Q) How are are Key Vault and App Configuration designed differently supporting different purposes? And where can I find a clear comparison table of features and benefits?

I also appreciate your aside:

please only good and real arguments no "because you should" or "because person X said so", what benefits would I reap with key vault that I don't have with app config?

Here is what I found to understand benefits as a contrast:

Article 1: What is Azure App Configuration?

App Configuration complements Azure Key Vault, which is used to store application secrets. App Configuration makes it easier to implement the following scenarios:

• Centralize management and distribution of hierarchical configuration data for different environments and geographies
• Dynamically change application settings without the need to redeploy or restart an application
• Control feature availability in real-time

---

Article 2 : Key management with Key Vault

Key management with Key Vault

Without proper protection and management of the keys, encryption is rendered useless. Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services. Permissions to access keys can be assigned to services or to users through Azure Active Directory accounts.

Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs) and key management software. When you use Key Vault, you maintain control. Microsoft never sees your keys, and applications don’t have direct access to them. You can also import or generate keys in HSMs.

---

Article 3: Azure Key Vault recovery management with soft delete and purge protection

Soft delete and purge protection are two different key vault recovery features.

Answer 2

I think you should not neglect the fact that someone that have the configuration of your App Service can see the secrets. A developer of your company could have access a production App Service for bug investigation but it should not mean he has access to production secrets. The fact of having a single employee's laptop (with access to Azure Portal) hacked should not necessarily mean "access to every secret of your application".

But appart from (as you already know the above), what differences I see:

• Better governance and acess monitoring : you have logs to see who try to access each secret, when and how, something you cannot do in an App Service
• Better secret management: all secrets stored in one place, you only modify them in key vault once instead of on each app service configuration when some secrets are shared in (used by) multiple app services
• Some advanced mechanism like recovery management and purge protection
• Better development experience : when debugging an app, if your user has access to the keyvault he can just run the app that will load secrets from keyvault into configuration instead of manually copying secrets from azure app settings locally