While there are other posts about being able to manage KeyVault content from the Portal (which is needed, in fact), there should also be integration to do direct-push to KeyVault. In particular, Storage Keys would be the first item (click on button, select existing vault or new vault, select key name or new key name.) Same should extend to SQL Azure Connection Strings, Service Bus Connection Strings, etc.

Use the current user's AAD to set the permission just as if they were using PowerShell and had typed "Login-AzureRmAccount". They're already staring at the value (in the case of Storage Keys.) In cases where the signed in user lacks permission to read the value, they also will lack permission to "push to Key Vault."