Key Vault & Secret Stores
Manage secrets, keys, and certificates with cloud key vaults and managed identities.
Cloud key vaults (Azure Key Vault, AWS KMS + Secrets Manager, GCP KMS) manage three related things:
- Secrets — passwords, connection strings, tokens
- Keys — cryptographic keys for encryption/signing, often backed by HSMs
- Certificates — TLS certs with lifecycle/renewal
The secure pattern is to combine a vault with a managed/workload identity: the app authenticates to the vault using its cloud identity — no secret needed to get the secret. Access is governed by RBAC/policies and every access is audited.
# Azure: app with a managed identity reads a secret — no stored credential
az keyvault secret show --vault-name kv-prod --name db-password --query value
# AWS KMS: envelope encryption — encrypt a data key, store ciphertext
aws kms encrypt --key-id alias/app --plaintext fileb://datakey.bin- Name the three asset types a key vault manages.
- Explain how a managed identity solves the “secret to get a secret” problem.
- Describe what an HSM-backed key adds over a software key.
- Why is audit logging on a key vault important?
Cheat Sheet▾
| Asset | Use |
|---|---|
| Secrets | Passwords, tokens |
| Keys | Encryption/signing (HSM-backed) |
| Certificates | TLS certs + renewal |
| Managed identity | Auth without a stored secret |
| Access policy / RBAC | Who can read what |
| Audit log | Records every access |
Common Interview Questions▾
What does a cloud key vault manage?
Secrets (passwords/tokens), cryptographic keys (often HSM-backed for encryption and signing), and certificates — all with access control, auditing, and lifecycle management.
How does a managed identity improve secret access?
The app authenticates to the vault using its platform-assigned identity, so it needs no stored credential to retrieve its secrets — removing the bootstrap secret entirely.