For four months I've been developing a proof-of-concept console app, which uses Azure Key Vault for storing secrets. I've got it working fine. I also like the fact that Key Vault can be used for other things, such as keys and certificates. I believe that using Key Vault is the approach we should take, in removing secrets out of our repos and putting those secrets in a safe, secure place which can be managed in one location. And I think the price is quite reasonable.
However, another team has come up with what is an interesting alternative that's all on-prem. For a web app that runs on-prem, but is public facing, they've put all the developers into an Active Directory Group, so they could do development and testing. The really clever step they took next is they put the account that runs in the application pool on our server, and is used for connecting to the database, into the same AD Group. I've got to admit that this does get around using Azure for anything, which plays very well to our management who are very afraid of using the Cloud for anything. And it plays well with the development team, who have people on it that don't want to go to the Cloud for anything, too.
Soon, I'd like to demonstrate my app to all of IT. And when that time comes, I'm sure that people on this other team will pipe up and say that they've got a working solution that costs nothing at all. (There's a common misconception frequently used here that the electricity, infrastructure, and personnel that feed and maintain the server are somehow free.) I am going to argue that using Key Vault makes it possible for us to host the web app either on-prem or in a VM in the Cloud or an Azure App Service. That even if we did migrate this web app to the Cloud, to duplicate what they've done, would mean we would have to run it in a VM, since we'd have to have access to IIS in the VM, so we could put the account in the IIS application pool into the same AD Group. First question, is my reasoning correct?
Secondly, I'd like to know if there are any other advantages that Key Vault has, over the solution that the other team has come up with?