When you configure an Azure App Service to use Key Vault references in its application settings, how does the App Service retrieve the secret values at runtime?
Think about performance and how often secrets might change.
App Service retrieves the secret from Key Vault once when the app starts and caches it. This avoids repeated calls to Key Vault during runtime, improving performance.
To enable an Azure App Service to use Key Vault references in its application settings, what minimum permission must be granted to the App Service's managed identity on the Key Vault?
Consider what action is needed to read a secret.
The App Service's managed identity needs the 'get' permission on secrets in Key Vault to retrieve secret values.
You want your Azure App Service to automatically use updated secrets from Key Vault without manual app restarts. Which architecture approach supports this?
Think about automation and identity permissions.
Using Key Vault references with managed identity and configuring the app to restart on secret change notifications allows automatic secret refresh without manual intervention.
Which of the following is the best practice to secure access from an Azure App Service to Azure Key Vault when using Key Vault references?
Consider principle of least privilege and secure authentication methods.
Using a system-assigned managed identity with least privilege access is the most secure and recommended approach to authenticate App Service to Key Vault.
An Azure App Service is configured with Key Vault references in its application settings and the managed identity has 'get' permission on Key Vault secrets. However, the app fails to resolve the secrets at runtime. What is the most likely cause?
Think about network restrictions and connectivity.
Even with correct permissions, if Key Vault firewall or virtual network rules block the App Service's outbound IPs, the app cannot access secrets.