Method for organising secrets in Key Vault (folders/sections)
I'm using key vault as a central key/value configuration repository. I have a lot of configuration keys, so navigating the vault has become tricky.
It would be really great if there was some form of cosmetic layer over the top, so that similar items could be grouped, to make navigation easier.
Key Vault should not be used for configuration, but for actual secrets like passwords, connections strings etc...
For configuration we recommend to use Azure App Configuration Store which for better protection can be encrypted using Key Vault keys
More information can be find here:
It is recommended one Key Vault per application per environment. In some cases multiple is recommended when application has multiple independently deployable components/services.
Key Vault should part of independently deployable set of application or service components.
Managing hundreds of key vaults should be as easy as managing hundreds of databases/datastores and that would be path for key vault to keep improving that management, so security boundaries, deployment boundaries are protected.
Yes, we need this. How about a search function? It's ridiculous to have to scroll down the list to find the secret I want to change.
+1 on this having to create a new KV everytime you need to isolate secrets is a maintenance challenge.
Traber Campbell commented
+1 to having a way to organize secrets. It would be even better to integrate that with RBAC.
While it is true that non-sensitive data should go in a different type of key/value store (like Azure Configuration - https://azure.microsoft.com/en-us/services/app-configuration/), we still have dozens of secrets to maintain for any reasonably-sized service.
Key Vault should provide features to do this, such as folders or tags on individual secrets/keys/certs.
Rasmus Christensen commented
A simple tagging would be a great option to filter/search for secrets
I vote for this as well. Managing 100+ key vaults in an enterprise is a PITA. Also building a database to manage this is a PITA as well. Just give me a single enterprise-wide vault that we can segregate keys for various apps.
Example I have 3 application nodes. Each application needs to look up a secret from the key vault. The value of each needs to be different, but the name of the secret is the same. i.e., I have 3 secrets with the same name that I want to store in 1 key vault (now multiply that by the number of environments (3) I want to have and now I need 9 keyvaults, for one apiKey!)
What would be great is if I stored a secret with the name "node1--apikey" and then used the url: https://my-keyvault.vault.azure.net/node1 I would be able to access the a secret by the name "apikey". i.e, if a secret name is delimited by -- and the key vault is accessed with a subfolder(s) that matches the first part of the name only the names that start with that folder are returned.
Does that make sense?
Jon McGuire commented
@Amit, he specifically says "configuration repository" -- he isn't using it as a generic name/value database.
Amit Bapat commented
Key Vault is designed for storing application secrets and cryptographic keys for cloud applications. It is not intended to be used as a name value database and hence we are not planning to add features for such scenarios. If your application needs a large number of name<=>value pairs consider using a database you can also decide to encrypt the data stored in such database for added security, and then store the encryption keys and connection string to your database in the Key Vault.