Exam AZ-305 topic 1 question 54 discussion

1. Storage: c. Secret. API keys are typically stored as secrets in Azure Key Vault. The key vault can store and manage secrets like API keys, passwords, or database connection strings. 2. Access: b. A managed service identity (MSI). A managed service identity (MSI) is used to give your VM access to the key vault. The advantage of using MSI is that you do not have to manage credentials yourself. Azure takes care of rolling the credentials and ensuring their lifecycle. The application running on your VM can use its managed service identity to get a token to Azure AD, and then use that token to authenticate to Azure Key Vault.

appeared in Exam 01/2024

CORRECT

A service principal is indeed the more appropriate choice for accessing a third-party email service using an API key. Here's a breakdown of why: Managed Service Identity (MSI) is primarily designed for accessing other Azure resources. While it can be used for external resources, it's often more complex to set up and manage. Service Principal is specifically designed for applications to authenticate to other services, including external ones. It provides a clear separation of concerns and simplifies the authentication process. To summarize: Store the API key as a secret in Azure Key Vault.   Use a service principal to authenticate to the third-party email service using the API key. By following these steps, you'll ensure secure storage of the API key and efficient authentication to the external service.

But isn't it the App that's making the call to Key Vault rather than the VM? If so, I think the answer for the second question would be an API token.

The given answer is correct. Storage: Secret: API keys are best stored as secrets in Azure Key Vault. Access: Managed Service Identity (MSI): Allows the app to authenticate to Azure Key Vault without needing to manage credentials, simplifying access management.

Given answer is correct difference between A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A key is a cryptographic key represented as a JSON Web Key [JWK] object. Key Vault supports RSA and Elliptic Curve Keys only. A managed service identity (MSI) is used to give your VM access to the key vault https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad

It seems that both answers are correct but have confusion. App is hosted on multiple VMs. I get that there will be a ingle API Key as secret but how can multiple VMs have single managed service identity?

Both correct: 1) To connect on third-part e-mail service you have just an API key (i.g. a long token/password), so you can store the -secret- word in Azure Key Vault. (Third-part didn't give you a certificate or a key file). 2) Managed Identity provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication.