AZ-305 · Question #115
AZ-305 Question #115: Real Exam Question with Answer & Explanation
This hotspot question tests your knowledge of securely storing app settings as Azure Key Vault secrets while using a system-assigned managed identity and following the principle of least privilege.
Question
Hotspot Question You have an Azure App Service web app that uses a system-assigned managed identity. You need to recommend a solution to store their settings of the web app as secrets in an Azure key vault. The solution must meet the following requirements: - Minimize changes to the app code, - Use the principle of least privilege. What should you include in the recommendation? To answer, select the appropriate options in the answer area. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This hotspot question tests your knowledge of securely storing app settings as Azure Key Vault secrets while using a system-assigned managed identity and following the principle of least privilege.
Approach. The correct approach involves two key steps: First, grant the web app's system-assigned managed identity the 'Key Vault Secrets User' role (or 'Get' secret permission in Key Vault access policy) on the Azure Key Vault - this follows least privilege by only allowing read access to secrets. Second, reference the Key Vault secrets in the App Service configuration using Key Vault references in the format '@Microsoft.KeyVault(SecretUri=...)' - this minimizes code changes because the app reads settings as standard environment variables/app settings without needing SDK calls or custom authentication logic. The managed identity handles authentication transparently, so no credentials need to be stored or managed in the app code.
Concept tested. Azure Key Vault integration with App Service using system-assigned managed identity and Key Vault references. This covers: (1) Role-Based Access Control or Key Vault access policies scoped to the minimum required permission (Secrets User / Get), (2) Key Vault references as app settings to avoid code changes, and (3) system-assigned managed identity as the authentication mechanism eliminating the need for stored credentials.
Reference. https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
Community Discussion
No community discussion yet for this question.