Azure Key Vault: centralized management of secrets and certificates

Azure Key Vault is Azure's service for managing secrets, cryptographic keys and certificates. It centralizes what would otherwise be scattered across environment variables, configuration files and databases — with full auditing of every access.

Create a Key Vault and add secrets

az keyvault create \
  --name kv-bconcepts-prod \
  --resource-group rg-shared \
  --location westeurope \
  --enable-rbac-authorization true   # RBAC instead of Access Policies (recommended)

az keyvault secret set \
  --vault-name kv-bconcepts-prod \
  --name "SqlConnectionString" \
  --value "Server=sqlprod.database.windows.net;..."

Access control with RBAC

az role assignment create \
  --role "Key Vault Secrets User" \
  --assignee <managed-identity-principal-id> \
  --scope /subscriptions/.../vaults/kv-bconcepts-prod

Access secrets in Python

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = SecretClient(
    vault_url="https://kv-bconcepts-prod.vault.azure.net/",
    credential=DefaultAzureCredential()
)
conn_str = credential.get_secret("SqlConnectionString").value

References in App Service / Function App

Configure direct references in the portal under Application Settings:

@Microsoft.KeyVault(SecretUri=https://kv-bconcepts-prod.vault.azure.net/secrets/SqlConnectionString/)

The application reads the value as if it were a normal environment variable — the Key Vault is transparent.

Soft Delete and Purge Protection

Always enable --enable-soft-delete (default in new vaults) and --enable-purge-protection. An accidentally deleted secret can be recovered within the retention period (7-90 days).

Conclusion

Key Vault is indispensable in any production Azure architecture. It replaces all other ways of storing secrets, offers full auditing and integrates natively with Managed Identities for zero-credential authentication.