How to split up Key Vaults?

Category: azure key vault


MJeorrett on Fri, 19 Jan 2018 11:19:13

We are developing a system with several components each with several environments and a lot of them make use of Key Vault.  We are considering the factors that could affect how we divide up the vaults any where from one vault for everything to a separate vault per app per environment.  We would like to better understand what factors we should be considering but after a bit of googling I couldn't find any strong opinions on how to divide up vaults.

So far the factors I am aware of are:

- Access permissions can only be set per vault (not per object)

- Presumably we should try to avoid storing the same object in multiple vaults.

- If a vault only contains objects relating to one app then clearing up that app's resources is much easier.

- Each vault contains a single name space so with many objects in a single vault naming could become problematic.

Interested to hear other peoples thoughts, especially if there are any other technical constraints that we should be aware of?



Rahul P Nath on Thu, 25 Jan 2018 04:57:17

Hi Matthew,

Think most of the factors are already thought about. I generally tend to have a vault associated per environment (like dev/test/prod) etc, so that the same keys can be used across all environments. This also gives flexibility to give different groups of people access for the environment they are responsible for. Also given that creating a key vault by itself is free it does not have any impact on cost. As far as different applications are concerned it boils down to minimizing duplicates and how you want to restrict access.