adrianhall
commented
6 months ago Hi Thomas,
You have the right idea here that Key Vault (with a link to App Config if needed) is the right place to store the secret.
In my experience, 3rd party API keys are changed infrequently and not rotated by the enterprise. As a result, the best practice is to use a jump host and the administrator will log into the jump host and execute Azure CLI or PowerShell commands to set the secret to the correct value, then restart the services (or another action) to effect the change.
If you have the ability to rotate the API key automatically, you can integrate this into a pipeline that is run on a periodic basis using a GitHub Actions runner or AzDO pipeline runner that is deployed on the jump host. Don't forget to open the firewall to whatever 3rd party API is needed to rotate the key so that the pipeline can run successfully.
In both cases, I recommend using a sentinel on App Config to effect the change rather than restarting services. You can read about sentinel values here: https://learn.microsoft.com/en-us/azure/azure-app-configuration/enable-dynamic-configuration-aspnet-core?tabs=core6x
I hope this helps, and I will close this issue now. Feel free to re-open if you need to continue the conversation.
In a given scenario where an application needs to integrate with a 3rd party API and necessitates the storage of an API key within a key vault as a confidential element, an important question arises: What's the optimal method for managing this process securely? Specifically, should the API key be manually inserted by an administrator to the key vault in both locations, or can it be seamlessly integrated via the application deployment pipeline?
Of notable concern is the application's limited access to the key vault solely through a private endpoint. Furthermore, the architectural layout entails that the key vaults are contained within their respective subsets and distributed across two distinct regions. Given these architectural considerations, how can we establish a fortified approach to automating the insertion of the API key into the key vault while ensuring its security?
I went thought this article https://blog.johnfolberth.com/securely-populating-azure-key-vault-via-azure-devops/ , however, this is not a proper way to do so as the secret is not stored within the Azure subscription which is the security boundary.