weikanglim
commented
6 months ago Hi @timheuer, we create KeyVault by default as a convenience since there's no associated cost to having one around -- KeyVault charges base on usage, so there shouldn't be any additional cost for having it around. If a user wanted to store a secret, they could. This is mentioned in brief passing next-steps.md.
As for permissions, it depends on the use case. Personally, for some scenarios, I'd recommend having no dev permissions on the KeyVault as well. But for non-advanced users, key and certificates permissions may not be needed.
In the future, we could change the logic to conditionally provision KeyVault if no backend services are found. I also suspect that future work around azd's configuration story could also be more integrated and explicitly create a KeyVault only when needed. But currently it's there for convenience. Let me know if any of these do not align with your expectations.
timheuer
Output from
azd versionRunazd versionand copy and paste the output here: azd version 1.5.1-daily.3351945 (commit fbbcfbe30f2175d980267329f0c0916c2270d4ed)Describe the bug A KeyVault resource is getting created when it is not mentioned as any dependency in my app, nor does it appear to be used. Additionally the permissions set on it don't enable listing keys/certificates, only 'secrets'
To Reproduce
azd initand follow stepsazd upExpected behavior Just not sure why keyvault is being created, only create resources on my account that are needed/used Also validate the permissions being created are valid