Hi, It is great to see this video on Key Vault. When using Key Vault to store app secrets for production applications, it is recommended to use X509 cert based authentication. This video shows a client_id+secret based authentication. This beats the whole purpose of using key vault, because the secret to authenticate AAD is available in clear in the app.config file. Available Key Vault sample applications show how to do X509 based auth. This has an example in .NET.
Ps:- The above information has been shared by Azure KV Engineering team.
To me, the primary reason for Azure KeyVault is a service to government officials for decrypting and access data when needed.
Rather than every customer come up with their own scheme of storing this secret information, customers are encouraged to store their secrets in such a manner that makes it easier for Microsoft and/or government officials to access said secrets and related data. This makes access much easier in that there is one standard place to look and there is no need to try and figure out the seemingly endless and obscure methods used by many customers.
In addition, but secondary, Azure KeyVault can be used as a place to store secrets and keep them out of your source code and settings.
Needless to say, I am skeptical of using Azure KeyVault.
@MaheshkMSFT: Thanks for the tip. Using certificates makes a lot more sense than securing passwords with other passwords. I'll have to dig into this a bit more and do a followup video.
@Tony: I must say I hadn't considered that. It is possible to build cryptographic systems such that not even the designer can read the secrets - in fact, I'd say it is fundamental to such a system. Personally, I find it pretty unlikely that THE MAN is interested in decrypting the keys I'm using to store credentials for my recipe collection.