key vault - for multiple app service should I create seperate key vault in one environment

Question

Hi All,

I have multiple web apps in each env ( and 4 environments in different azure subscriptions ). We are trying to use key vault but would like to know -

1.) Micorosft document states that we should use separate key vault for each app https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices, but I am not sure if this would make things complex..If I have 20 web apps or 30 will I create 30 key vault in each env ?

2.) If we use only 1 key vault and add all secrets in that how we will manage application to access only required secret and not all ?

Please recommend best approach for this

Regards,
Neha Oberoi

Answer 1

The document you pointed says -

Our recommendation is to use a vault per application per environment (Development, Pre-Production and Production). This helps you not share secrets across environments and also reduces the threat in case of a breach.

So ideally you can create 3 Key vaults - Dev, UAT and Prod. This is what I have seen in real projects.

All the (20 or 30) applications in Dev environment can fetch secrets from Dev Key vault and developers can be granted access to this Key vault. Creating 20-30 Key vaults would be complicated and difficult to manage.

For UAT & Prod keyvault, only admins should have access.

---

Please don't forget to Accept Answer and Up-vote if the response helped -- Vaibhav

Answer 2

@Vaibhav Chaudhari : I was also considering a similar scenario as you have told, but I have one question then why they recommended per application & per env, they should suggest only per env ?
I am bit confused with this statement of per application.

Also if I share one key vault with multiple application in Dev env, will it cause any overhead or issue , as suggested in https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-3.1#use-a-key-name-prefix