Container App Secrets Vs Key Vault
I'm looking to have a "container app" with a PHP Laravel web application open on port 80/443.
The application will need to connect to a MySQL database, it of course needs a host, database, username, and password.
Would the "Container App: Secrets" be considered secure enough to store the database password, and further is it safe to pass this to the container through the "Reference a secret" feature when defining the environment variables for the container?
Secondary to this, I'm aware of the Key Vault, this seems like a complex solution, is this better than passing my password through Secrets, if yes, why? Is there a particular reason key vault is good/better for passing database passwords to my containerised application?
I'm concerned that every time I need to access the database, I need to make an EXTRA request to the key-store for the raw password to then use in the connection, high speed responses to the client will be essential for my application.
Perhaps this is more of a docker question, but are there security vulnerabilities with storing the database password at the single app container root and my app retrieving this from the container root during runtime? Or is it just not advised so passwords can be rotated?
This is all theory and research for now.
Hi, @Shea Welcome to the Microsoft Q&A forum, Thanks for posting your question.
I have reached out to the internal team and provide you with more information.
As far as my research can find, Vault uses Secrets under the hood for values, the same as container app secrets. I'm curious if there's any fundamental difference, or if values are stored basically the same way. (Excluding HSM)
@Shea On your point 1 and 4 adding a container tag so someone from the container team can comment.
you can use the key vault to store not only your passwords, but also entire connection strings (host name and user name), and when you want to connect to MySQL, you simply get these connection strings from the vault.
If you use a connection pool, this will have much less of an impact on performance because the long-lived connection only receives information from the key vault at the start of the connection; once the connection is established, there will be no more access to the key vault; however, if you do not use connection pool, this will have a significant performance impact.
Thanks for the reply.
"much less of an impact on performance because the long-lived connection"
Do you have any documentation regarding these 'connection pools' and their performance? I can't find any myself. Further to the quote above, I'm not sure how I would hold a connection open using PHP unless I'm missing something here.
I'm also not sure that fully answers my question?..
"Would the "Container App: Secrets" be considered secure enough to store the database password, and further is it safe to pass this to the container through the "Reference a secret" feature when defining the environment variables for the container?"
This is the key piece of information I am looking for.
If my application is only going to handle a small handful of secrets, I don't see value in spending extra time implementing a key vault. It's a major hassle, mainly when using Laravel PHP.
I'm mostly curious about security. Are "Container Secrets" actually insecure? or is Vault just recommended for scale? (Further, if they are insecure, why does the "reference a secret" feature exist?)
Sign in to comment