Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure Key Vault Secrets unmanaged and managed whats the difference?

Within the Azure portal > KeyVaults > Secrets there appears to be two sets of Secrets: "unmanaged" and "managed".

When adding a new Secret it appears to go straight to the "unmanaged" section (there is no option to choose).

  • What is the difference between "unmanaged" and "managed" secrets?
  • Why everytime I create a secret it is "unmanaged"?
  • How do you create "managed" secrets?
like image 761
bytedev Avatar asked Nov 16 '17 16:11

bytedev


1 Answers

What is the difference between "unmanaged" and "managed" secrets?

A "managed" secret is a secret that backs either a certificate or a storage account key. It can't directly be mutated - for example, if you want to delete it, then you should instead delete the corresponding certificate or storage account key. An "unmanaged" secret is a secret that isn't managed - from AKV's point of view, it's just a blob of data.

Why everytime I create a secret it is "unmanaged"?

Within the Azure Portal, AKV only supports the creation of keys, secrets, and certificates (no storage account key support yet). If you create a certificate, then a managed secret will also be created. Otherwise, if you create a secret (even if you select "Certificate" as an upload option), then it will be an unmanaged secret.

How do you create "managed" secrets?

Not directly. Only by creating a certificate or a storage account key.


More Context:

The Azure Key Vault (AKV) service originally supported only two types of objects that could be stored in a vault: keys and secrets.

Later, AKV introduced a 3rd type of object: certificates. Originally, customers were storing their certs in their vaults as raw secrets (from AKV's point of view, just blobs of data). With this new certificate feature, customers could store certs as first-class AKV objects. Now, AKV can manage the lifetime of the certificate (by auto-renewing or automatically sending an e-mail to remind the customer to manually renew it when it's close to expiry). Under the hood, when a first-class certificate is created in Key Vault, the certificate is backed by a managed key and managed secret.

Likewise, AKV has also introduced a 4th type of object: storage account keys. AKV similarly manages the lifetime of a storage account key, and it's backed by a managed secret.

like image 148
Adriano Avatar answered Oct 05 '22 22:10

Adriano