Open timheuer opened 6 months ago
Hi @timheuer, we create KeyVault by default as a convenience since there's no associated cost to having one around -- KeyVault charges base on usage, so there shouldn't be any additional cost for having it around. If a user wanted to store a secret, they could. This is mentioned in brief passing next-steps.md
.
As for permissions, it depends on the use case. Personally, for some scenarios, I'd recommend having no dev permissions on the KeyVault as well. But for non-advanced users, key and certificates permissions may not be needed.
In the future, we could change the logic to conditionally provision KeyVault if no backend services are found. I also suspect that future work around azd's configuration story could also be more integrated and explicitly create a KeyVault only when needed. But currently it's there for convenience. Let me know if any of these do not align with your expectations.
Even without a cost, it's a resource to manage. I just found it odd (hence not aligning with my expectations) that resources were created for me that are consumption-based -- maybe appinsights/loganalytics fall into same category) that i didn't explicitly use.
If these are 'no cost' resources and confirm that is the case, there is no billing harm here, but usability wise my RG now looks like more than I expected for a simple web app.
Output from
azd version
Runazd version
and copy and paste the output here: azd version 1.5.1-daily.3351945 (commit fbbcfbe30f2175d980267329f0c0916c2270d4ed)Describe the bug A KeyVault resource is getting created when it is not mentioned as any dependency in my app, nor does it appear to be used. Additionally the permissions set on it don't enable listing keys/certificates, only 'secrets'
To Reproduce
azd init
and follow stepsazd up
Expected behavior Just not sure why keyvault is being created, only create resources on my account that are needed/used Also validate the permissions being created are valid