Using Azure KeyVault to store secrets


There is one nice feature I left out, the possibility to use KeyVault to store secrets. What's a secret ? The MySQL database username and password are secrets, the authentication key for a mailing service is a secret, any data you use to authenticate to some service is a secret

The regular approach is to set those to operating system environment variables, or inject in our way in your code. 

A way better approach is to use Azure KeyVault to inject these kind of values directly in your application at runtime.

Why it's better you might ask ? You application would still need to authenticate somehow against the Azure KeyVault to be able to use this feature, right ? You will still have to manage a password (for Azure KeyVault, right ? Well, not quite. The good news is that you can use other (better !) ways to authenticate to AzureKeyVault, like  Managed Identities or Server Certificates, which does not require a user/password combination to be able to use the KeyVault service. So, you get the benefit or somebody else storing all secrets for you (and making sure all stay secret !). All you have to do is to configure the authentication in a clever way and you're done !

The actual process of using KeyVault with Java Spring Boot is fully described here -