In our previous article Azure Resource Manager Templates – Securing your Parameters with KeyVault we have used KeyVault to safely store production secrets. In large teams you may have multiple people deploying resources but don’t want to give them access to the actual secrets inside the vault. You can achieve this by creating a custom role that only gives access to the KeyVault for deployment purposes. The deployment user cannot read the secrets within.
You should never keep any confidential configuration information in an application configuration file. This include injecting sensitive information via web transformation files. Adding sensitive values via the AppService settings is not ideal either.
In all these cases you may leak sensitive information. For example via your source control. Or anyone with access to your subscription could get those secrets.
Certificates have various uses in AppServices. The most obvious one is to enable SSL for your application. Another use it to authenticate towards Azure KeyVault to retrieve confidential values.
In this post we will be uploading a certificate to KeyVault. Then we will deploy it to an AppService with Azure Resource Manager. Finally we will set a custom domain binding to use the certificate for SSL.
Storing secret information such as parameters in resource template files is not recommended. Often ARM templates are checked into source control. Now everyone has access to your confidential information.
Using parameters that are not checked into source control is one option. Azure offers a better option through it’s secure data store KeyVault. Think of it as a vault for secrets of any type.