Azure  

Azure Key Vault Tutorial: Securely Store Application Secrets

Introduction

Modern applications depend on many sensitive pieces of information, such as database passwords, API keys, certificates, storage account keys, and third-party service credentials. Protecting these secrets is one of the most important responsibilities of any development team.

Unfortunately, many applications still store secrets inside configuration files, environment variables, or source code repositories. This approach creates serious security risks and can lead to data breaches if credentials are exposed.

Microsoft Azure provides Azure Key Vault, a cloud service specifically designed to securely store and manage secrets, encryption keys, and certificates.

In this tutorial, you'll learn what Azure Key Vault is, why it's important, how it works, and how to integrate it with ASP.NET Core applications using modern security best practices.

What Is Azure Key Vault?

Azure Key Vault is a cloud-based service that securely stores and manages sensitive information.

It helps organizations protect:

  • Application secrets

  • Database passwords

  • API keys

  • Encryption keys

  • SSL certificates

  • Connection strings

Instead of storing secrets directly inside applications, developers store them in Azure Key Vault and retrieve them securely when needed.

Think of Azure Key Vault as a highly secure bank vault.

Instead of carrying cash in your pocket, you store valuable assets in a protected vault and access them only when required.

Azure Key Vault works the same way for application secrets.

Why Do We Need Azure Key Vault?

Let's consider a common example.

A typical ASP.NET Core application may contain:

{
  "ConnectionStrings": {
    "DefaultConnection":
    "Server=myserver;
     Database=SalesDb;
     User Id=admin;
     Password=Secret123"
  }
}

Problems with this approach:

  • Secrets are visible in configuration files.

  • Credentials may be committed to Git repositories.

  • Password rotation becomes difficult.

  • Compliance requirements become harder to meet.

  • Security risks increase.

Azure Key Vault eliminates these problems by storing secrets outside the application.

How Azure Key Vault Works

The workflow is straightforward.

ASP.NET Core App
        ↓
Managed Identity
        ↓
Azure Key Vault
        ↓
Retrieve Secret
        ↓
Application Uses Secret

The application never stores sensitive information locally.

Instead, it retrieves secrets securely from Azure Key Vault whenever needed.

Types of Data Stored in Key Vault

Azure Key Vault supports three primary categories.

Secrets

Secrets include:

  • Passwords

  • API Keys

  • Connection Strings

  • Authentication Tokens

Example:

DatabasePassword
StripeApiKey
StorageConnectionString

Keys

Cryptographic keys used for:

  • Data encryption

  • Data decryption

  • Digital signatures

Example:

RSA Encryption Keys

Certificates

Used for:

  • SSL/TLS communication

  • Website security

  • Application authentication

Example:

companydomain.com SSL Certificate

Real-World Example

Imagine an e-commerce platform.

The application requires access to:

  • SQL Database

  • Payment Gateway API

  • Azure Storage

  • Email Service

Without Key Vault:

appsettings.json
      ↓
Database Password
API Keys
Storage Keys

With Key Vault:

Azure Key Vault
      ↓
Secrets Stored Securely
      ↓
Application Accesses When Needed

Security improves dramatically.

Creating an Azure Key Vault

Login to Azure Portal.

Navigate to:

Create Resource
       ↓
Key Vault

Provide:

  • Subscription

  • Resource Group

  • Vault Name

  • Region

Example:

Vault Name:
MyCompanyKeyVault

Click:

Review + Create

Azure creates the Key Vault.

Adding Secrets to Key Vault

Open your Key Vault.

Navigate to:

Objects
    ↓
Secrets

Click:

Generate / Import

Add a secret.

Example:

Name:
DatabasePassword

Value:
MySecurePassword123

Save the secret.

Azure securely stores it.

Creating Secrets Using Azure CLI

You can also create secrets using Azure CLI.

Create a secret:

az keyvault secret set \
    --vault-name MyCompanyKeyVault \
    --name DatabasePassword \
    --value MySecurePassword123

Retrieve a secret:

az keyvault secret show \
    --vault-name MyCompanyKeyVault \
    --name DatabasePassword

This approach is useful for automation and CI/CD pipelines.

Securing Access with Managed Identity

The recommended approach is to use Managed Identity.

Enable Managed Identity on your Azure App Service.

App Service
     ↓
Identity
     ↓
System Assigned
     ↓
Enable

Azure creates an identity automatically.

Now grant Key Vault access.

Navigate to:

Key Vault
     ↓
Access Control (IAM)

Assign role:

Key Vault Secrets User

Your application can now access secrets securely.

No passwords are required.

Installing Required NuGet Packages

Add Azure SDK packages.

dotnet add package Azure.Identity

dotnet add package Azure.Security.KeyVault.Secrets

These packages allow your application to communicate with Azure Key Vault.

Accessing Secrets in ASP.NET Core

Create a SecretClient.

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

var client = new SecretClient(
    new Uri("https://mycompanykeyvault.vault.azure.net/"),
    new DefaultAzureCredential());

Retrieve a secret.

var secret = await client.GetSecretAsync(
    "DatabasePassword");

Console.WriteLine(secret.Value.Value);

Azure automatically handles authentication.

Understanding DefaultAzureCredential

You'll frequently encounter this class.

new DefaultAzureCredential()

This credential automatically selects the appropriate authentication method.

During local development:

Visual Studio Login
      ↓
Azure CLI Login
      ↓
Developer Account

In production:

Managed Identity
      ↓
Azure Authentication

The same code works in both environments.

This simplifies development significantly.

Integrating Key Vault with Configuration

Instead of manually retrieving secrets, you can integrate Key Vault directly into ASP.NET Core configuration.

Program.cs:

builder.Configuration.AddAzureKeyVault(
    new Uri("https://mycompanykeyvault.vault.azure.net/"),
    new DefaultAzureCredential());

Now secrets behave like normal configuration values.

Example:

var password =
    builder.Configuration["DatabasePassword"];

This makes migration from appsettings.json very easy.

Secret Versioning

Azure Key Vault automatically supports secret versioning.

Suppose you update a secret.

Old version:

DatabasePassword = Password123

New version:

DatabasePassword = Password456

Azure stores both versions.

Benefits:

  • Rollback capability

  • Audit tracking

  • Safer deployments

This feature is extremely valuable in enterprise environments.

Secret Rotation

One major advantage of Key Vault is easier secret rotation.

Traditional process:

Update Password
      ↓
Modify Application Config
      ↓
Redeploy Application

Key Vault process:

Update Secret
      ↓
Application Reads New Secret

No configuration file updates are required.

This reduces operational overhead.

Monitoring and Auditing

Azure Key Vault provides logging and monitoring.

You can track:

  • Secret access

  • Authentication failures

  • Permission changes

  • Secret creation

  • Secret deletion

Benefits include:

  • Improved security

  • Compliance reporting

  • Threat detection

Organizations often integrate these logs with Azure Monitor and Microsoft Sentinel.

Common Mistakes Developers Make

Storing Secrets in Source Code

Bad example:

string password = "Secret123";

Secrets should never be hardcoded.

Using Connection Strings Instead of Managed Identity

Many developers move secrets to Key Vault but continue storing credentials elsewhere.

Use:

DefaultAzureCredential

Instead of:

StorageConnectionString

Granting Excessive Permissions

Follow the principle of least privilege.

Grant only the permissions required.

Real-World Scenario

Consider a healthcare application.

The application stores:

  • Patient database credentials

  • API keys

  • Encryption certificates

Without Key Vault:

  • Secrets are scattered across systems.

  • Security audits become difficult.

  • Compliance risks increase.

With Key Vault:

  • Secrets are centralized.

  • Access is controlled.

  • Auditing becomes easier.

  • Compliance improves.

This is why many enterprise organizations use Azure Key Vault as their primary secret management solution.

Advantages of Azure Key Vault

Azure Key Vault provides many benefits.

  • Centralized secret management

  • Improved security

  • Secret versioning

  • Automatic rotation support

  • Audit logging

  • Integration with Managed Identity

  • Compliance support

  • Reduced credential exposure

These benefits help protect applications from common security threats.

Best Practices

When using Azure Key Vault:

  • Store all secrets in Key Vault.

  • Use Managed Identity whenever possible.

  • Enable logging and monitoring.

  • Rotate secrets regularly.

  • Use RBAC for access management.

  • Avoid hardcoded credentials.

  • Follow least-privilege principles.

  • Use separate vaults for different environments.

These practices improve both security and maintainability.

Conclusion

Azure Key Vault is one of the most important security services available in Azure. It provides a secure and centralized location for storing secrets, encryption keys, and certificates while eliminating the need to keep sensitive information inside application code or configuration files.

By combining Azure Key Vault with Managed Identity, developers can build highly secure ASP.NET Core applications that authenticate and retrieve secrets without managing passwords or client secrets manually.

Whether you're developing APIs, microservices, enterprise applications, or cloud-native solutions, Azure Key Vault helps reduce security risks, simplify secret management, and meet modern compliance requirements.

As organizations continue strengthening cloud security practices, Azure Key Vault has become an essential component of secure application architecture.

Membership not found