Get secret service Vs HTTP Connector with Managed Identities to Access Secret

BalaKumaran 1 Reputation point
2022-03-15T03:54:05.783+00:00

Hello Everyone,

I have following queries for better clarity and understanding to design integration with the recommended best practices considering security vulnerabilities. Appreciate your thoughts and views on the queries below.

  1. Is there any documentation availabe to check details about connector's (action) services made available for general public from preview? Or how to check those details? Wanted to check when the service “Get secret” for LogiApp available for general public from Preview (and how long was under preview).
  2. Is there any downfall accessing the secret value from key vault using HTTP connector (GET) with Managed Identity authentication enabled along with Secure Input and Secure Output options also enabled? What are all the security vulnerabilities of this approach? Appreciate if anyone could share MS documentation on the same, if any exists.
  3. What is the advantage of using “Get Secret” service over the method explained in #2 above, to access secret from key vault? Any best practice recommendations from MS (prefer documentation link) on which connector to be used to access key vault secret?

Appreciate your help in advance.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,135 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,873 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mike Urnun 9,756 Reputation points Microsoft Employee
    2022-03-18T23:32:20.287+00:00

    Hello @BalaKumaran - Welcome, and thank you for posting here on MS Q&A!

    Please my answers below:

    1. Connector Reference doc distinguishes the Production-ready vs Preview Connectors and lists the connectors that fall under each category.
    2. Measuring security & its possible vulnerabilities is a pretty broad topic and the details depend heavily on the specifics of the system/workflow being discussed. Generally speaking, by choosing KeyVault (state-of-art secret store & management for data/secret-at-rest), Managed Identity (Azure-managed service principal), and enabling the Secure Input/Output options in Logic Apps (securing data/secret in-transit), you're absolutely on the cutting-edge track and can rely on Azure SLAs. I'm not sure if Network-isolation via VNETs or something like certificate-based authentication applies to your use case (or they may be overkill?) then again, the specifics of your system & compliance requirements, if any, will ultimately inform the decision. For general information on secure architecture and how Azure services approach security and their overview of related services, I invite you to review our Azure Architecture center docs on security: Security architecture design
    3. "Get Secret" action in the KeyVault Connector invokes the same "Get Secret" operation in the KeyVault API under the covers but just makes it so that you're implementing the operation via Logic Apps with ease by leveraging the designed-first approach, and are able to incorporate other disparate services and components for your integration solution.

    I hope these answers are helpful, let me know if you have any further questions.

    0 comments