question

tkbsmanian avatar image
0 Votes"
tkbsmanian asked MikeUrnun edited

Get secret service Vs HTTP Connector with Managed Identities to Access Secret

Hello Everyone,

I have following queries for better clarity and understanding to design integration with the recommended best practices considering security vulnerabilities. Appreciate your thoughts and views on the queries below.

  1. Is there any documentation availabe to check details about connector's (action) services made available for general public from preview? Or how to check those details? Wanted to check when the service “Get secret” for LogiApp available for general public from Preview (and how long was under preview).

  2. Is there any downfall accessing the secret value from key vault using HTTP connector (GET) with Managed Identity authentication enabled along with Secure Input and Secure Output options also enabled? What are all the security vulnerabilities of this approach? Appreciate if anyone could share MS documentation on the same, if any exists.

  3. What is the advantage of using “Get Secret” service over the method explained in #2 above, to access secret from key vault? Any best practice recommendations from MS (prefer documentation link) on which connector to be used to access key vault secret?

Appreciate your help in advance.

azure-logic-appsazure-key-vaultazure-managed-identity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MikeUrnun avatar image
0 Votes"
MikeUrnun answered MikeUrnun edited

Hello @tkbsmanian - Welcome, and thank you for posting here on MS Q&A!

Please my answers below:

  1. Connector Reference doc distinguishes the Production-ready vs Preview Connectors and lists the connectors that fall under each category.

  2. Measuring security & its possible vulnerabilities is a pretty broad topic and the details depend heavily on the specifics of the system/workflow being discussed. Generally speaking, by choosing KeyVault (state-of-art secret store & management for data/secret-at-rest), Managed Identity (Azure-managed service principal), and enabling the Secure Input/Output options in Logic Apps (securing data/secret in-transit), you're absolutely on the cutting-edge track and can rely on Azure SLAs. I'm not sure if Network-isolation via VNETs or something like certificate-based authentication applies to your use case (or they may be overkill?) then again, the specifics of your system & compliance requirements, if any, will ultimately inform the decision. For general information on secure architecture and how Azure services approach security and their overview of related services, I invite you to review our Azure Architecture center docs on security: Security architecture design

  3. "Get Secret" action in the KeyVault Connector invokes the same "Get Secret" operation in the KeyVault API under the covers but just makes it so that you're implementing the operation via Logic Apps with ease by leveraging the designed-first approach, and are able to incorporate other disparate services and components for your integration solution.

I hope these answers are helpful, let me know if you have any further questions.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.