What is the point of Azure App Config KeyVault references?

Question

In Azure you can setup an App Config and a KeyVault. The point of the KeyVault being to store more sensitive data than your App Config and be able to regulate access to the config and vault separately.

So what is the benefit of using a keyvault reference in the app config?

You are basically allowing anyone with access to the app config to access certain values in your keyvault and are bypassing the additional layer of security the vault normally provides.
The additional layer being required auth to the vault to access those same values if they aren't referenced in the config.

I really don't understand what benefit keyvault references give you.

Answer 1

This blog article by Jan de Vries explains them in more detail: https://jan-v.nl/post/2021/using-key-vault-with-azure-app-configuration/.

The relevant part for your question:

As it happens, the code for accessing App Configuration doesn’t give your application permission to retrieve secrets from Key Vault.

The application retrieves them from Key Vault, not from App Configuration. App Config only holds the reference, not the actual value.

Official docs also mention this:

Your application uses the App Configuration client provider to retrieve Key Vault references, just as it does for any other keys stored in App Configuration. In this case, the values stored in App Configuration are URIs that reference the values in the Key Vault. They are not Key Vault values or credentials. Because the client provider recognizes the keys as Key Vault references, it uses Key Vault to retrieve their values.

Your application is responsible for authenticating properly to both App Configuration and Key Vault. The two services don't communicate directly.