TL;DR
Use Azure Key Vault for secrets (passwords, API keys, connection strings). Use Azure Environment Variables for configuration settings that aren’t sensitive. Key Vault is more secure and offers better management features.
1. Understanding the Difference
Both Azure Key Vault and Environment Variables store information your applications need to run. However, they are designed for different purposes:
- Azure Key Vault: A cloud service for securely storing and managing secrets like passwords, keys, certificates, and connection strings. It provides centralised secret management, access control, auditing, and versioning.
- Azure Environment Variables: Configuration settings that define the runtime behaviour of your application. These are typically less sensitive data such as database names, logging levels or feature flags.
2. Why Key Vault for Secrets?
- Security: Key Vault encrypts secrets at rest and in transit. It integrates with Azure Active Directory (Azure AD) for fine-grained access control. Environment variables are generally stored unencrypted, making them vulnerable to exposure.
- Centralised Management: Key Vault provides a single place to manage all your application’s secrets. You can easily rotate secrets without modifying your code.
- Auditing: Key Vault logs all access to secrets, providing an audit trail for security and compliance purposes.
- Versioning: Key Vault keeps track of different versions of your secrets, allowing you to roll back to previous versions if needed.
3. Why Environment Variables for Configuration?
- Simplicity: Environment variables are easy to set up and use. They don’t require a separate service like Key Vault.
- Portability: Environment variables can be easily moved between different environments (development, testing, production).
- Configuration Flexibility: Useful for settings that change frequently based on the environment without being security risks.
4. Setting up Azure Key Vault
- Create a Key Vault: In the Azure portal, search for ‘Key Vault’ and create a new instance. Choose a suitable region and pricing tier.
- Add Secrets: Within your Key Vault, add secrets with descriptive names.
- Grant Access: Assign appropriate access policies to your application’s managed identity or service principal. This is crucial for security!
5. Accessing Secrets from Azure Key Vault in Code (Example – .NET)
You’ll need the Azure.Identity and Azure.Security.KeyVault.Secrets NuGet packages.
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
// Replace with your Key Vault URL
string keyVaultUrl = "https://your-key-vault-name.vault.azure.net/";
var client = new SecretClient(new Uri(keyVaultUrl), new ClientSecretCredential("tenantId", "clientId", "clientSecret"));
KeyVaultSecret secret = await client.GetSecretAsync("your-secret-name");
string secretValue = secret.Value;
6. Setting Environment Variables in Azure
- App Service: In the Azure portal, navigate to your App Service and go to ‘Configuration’ under ‘Settings’. Add or modify environment variables as needed.
- Azure Functions: Similar process to App Service – find ‘Configuration’ within your Function App settings.
7. Accessing Environment Variables in Code (Example – .NET)
string databaseName = Environment.GetEnvironmentVariable("DATABASE_NAME");
string loggingLevel = Environment.GetEnvironmentVariable("LOGGING_LEVEL");
8. Summary Table
| Feature | Azure Key Vault | Azure Environment Variables |
|---|---|---|
| Data Type | Secrets (passwords, keys, connection strings) | Configuration settings |
| Security | Highly secure (encryption, access control, auditing) | Generally unencrypted |
| Management | Centralised secret management, versioning | Simple but limited |
| Complexity | More complex setup | Easy to set up |