Weldon Web
← Posts

Securing Secrets: Migrating to Azure Key Vault & App Configuration

Updated #Azure#App Configuration#Key Vault

Migrating Key Values to Azure

Security keeps clients awake at night. Moving to the cloud means handing over the keys to the kingdom. Azure gives you fully managed, locked-down ways to store that confidential data.

Here is the standard playbook for migrating secrets using Azure Key Vault and Azure App Configuration.

Azure Key Vault

Think of Key Vault as a digital safe. You put API keys, passwords, and certificates in it. You tightly control who gets to open the door. You lock down access using Azure Managed Identities and strict Role-Based Access Control (RBAC).

Keep your blast radius small. Run one vault per application, per environment. Dev gets a vault. Staging gets a vault. Prod gets a vault. Never mix them.

Key Vault is great. It handles versioning and has a solid REST API. But it lacks a few things. You can't do real-time updates easily. There is no feature management. Tagging is limited.

That is where App Configuration steps in.

Azure App Configuration

Modern cloud apps are scattered everywhere. If you scatter your configuration settings alongside them, deployments become a nightmare.

App Configuration centralizes everything.

You need a solid naming convention before you start. Be consistent. Label your keys by domain so you can actually find them later.

  • common/apiKey
  • apis/basket-service/retryAttempts
  • external/twitter/apiKey

Tying It Together

These two services are built for each other.

App Configuration manages the hierarchy and distribution of your settings. Key Vault locks down the actual secret values. You link a Key Vault reference inside App Configuration. The application asks App Configuration for the setting, and it seamlessly resolves the secure value from Key Vault behind the scenes.

You get dynamic updates without redeploying. You control feature flags in real time. Your Key Vault values stay completely hidden.

Other storage options exist, like Table Storage or Cosmos DB. Skip them for secrets. They lack the native security features and cost significantly more.

The Setup

Connect them quickly in your .NET API.

builder.Configuration.AddAzureAppConfiguration(options =>
{
    options.Connect(builder.Configuration["AppConfigConnectionString"])
           .ConfigureKeyVault(kv =>
           {
               kv.SetCredential(new DefaultAzureCredential());
           });
});