Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure Key Vault Secrets unmanaged and managed whats the difference?

Tags:

azure

azure-keyvault

azureportal

Within the Azure portal > KeyVaults > Secrets there appears to be two sets of Secrets: "unmanaged" and "managed".

When adding a new Secret it appears to go straight to the "unmanaged" section (there is no option to choose).

  • What is the difference between "unmanaged" and "managed" secrets?
  • Why everytime I create a secret it is "unmanaged"?
  • How do you create "managed" secrets?
like image 761
bytedev Avatar asked Nov 16 '17 16:11

bytedev

1 Answers

What is the difference between "unmanaged" and "managed" secrets?

A "managed" secret is a secret that backs either a certificate or a storage account key. It can't directly be mutated - for example, if you want to delete it, then you should instead delete the corresponding certificate or storage account key. An "unmanaged" secret is a secret that isn't managed - from AKV's point of view, it's just a blob of data.

Why everytime I create a secret it is "unmanaged"?

Within the Azure Portal, AKV only supports the creation of keys, secrets, and certificates (no storage account key support yet). If you create a certificate, then a managed secret will also be created. Otherwise, if you create a secret (even if you select "Certificate" as an upload option), then it will be an unmanaged secret.

How do you create "managed" secrets?

Not directly. Only by creating a certificate or a storage account key.

More Context:

The Azure Key Vault (AKV) service originally supported only two types of objects that could be stored in a vault: keys and secrets.

Later, AKV introduced a 3rd type of object: certificates. Originally, customers were storing their certs in their vaults as raw secrets (from AKV's point of view, just blobs of data). With this new certificate feature, customers could store certs as first-class AKV objects. Now, AKV can manage the lifetime of the certificate (by auto-renewing or automatically sending an e-mail to remind the customer to manually renew it when it's close to expiry). Under the hood, when a first-class certificate is created in Key Vault, the certificate is backed by a managed key and managed secret.

Likewise, AKV has also introduced a 4th type of object: storage account keys. AKV similarly manages the lifetime of a storage account key, and it's backed by a managed secret.

like image 148
Adriano Avatar answered Oct 05 '22 22:10

Adriano
Sign in to Comment

Related questions

Creating a correct absolute URL when running ASP.NET MVC application under Visual Studio Windows Azure Emulator
Composer dependency error acquiring microsoft/windowsazure package
GetBlobReferenceFromServer not working with relative URIs. Error: "Only absolute addresses are permitted"
Error: 'ID1039: The certificate's private key could not be accessed
ERR_EMPTY_RESPONSE in ASP.NET MVC WebSite
EntityFramework Code first migrations not running after deploying to Azure
FabricConnectionDeniedException - Where do I setup Azure Service Fabric connections?
Clone a resource group
Wordpress slow on azure
Design of Application in Azure Service Fabric
Azure WebJob not running as per schedule
Allow ipv6 address in Azure firewall
SQL timeouts after moving to azure
What does the various options in time aggregation field mean?
How can I merge the outputs from a For_Each loop in an Azure Logic App to a single flat array?
POSTMAN: "You do not have permission to view this directory or page" with Bearer Token
Azure functions static isolation
Azure Function - writing and reading a blob file
cosmos db sql query with non alphanumeric field name
Unable to reach SQL database through SSH tunnel using sqlcmd

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!