问题
What is the recommended way of deploying Azure Key Vault:
- One Key Vault per environment e.g. Production, Test etc.
- One Key Vault used globally.
If I want to automate creation of Azure resources using ARM templates, it seems the second method is preferable. However, storing Test and Production secrets together could cause mistakes to happen unless you use some kind of naming scheme for secret names.
回答1:
The official recommendation is that a Key Vault is not shared across environments.
Don't use prefixes on key vault secrets to place secrets for multiple apps into the same key vault or to place environmental secrets (for example, development versus production secrets) into the same vault. We recommend that different apps and development/production environments use separate key vaults to isolate app environments for the highest level of security.
Source
We deploy them through ARM templates, and have not really had trouble. Some PowerShell (or other) scripts may be needed to set secrets after ARM deployment.
回答2:
One more thing to add to this answer. I do agree that each application or process should have it's own Key Vault in a single region and absolutely different ones per environment.
In the end it really depends what you are using Key Vault for and how comfortable you are with managing Key Vault. Yes, Key Vault is replicated to a secondary region by default; however, if you are using or planning to use Key Vault for VM Disk encryption it does not cross regions So if your discs will be stored in multiple regions you will need to have a separate Key Vault in each region.
来源:https://stackoverflow.com/questions/53004329/recommended-way-of-deploying-azure-key-vault