This is the 7th part of my Key Vault series - This will also be the shortest one. 

When you got control over the server, be it a virtual one or a standalone one, the approach you need to take, depends on what kind of access you have to the server. 

Full access

If you have full access to the machine, the approach you should take is using a certificate to access it. I wrote about this in Part 4, and also explained how to generate and use it. The reason this is the best approach is that when using a certificate, you can avoid having a secret access key to the Key Vault in your configuration files. When using a certificate, we tell our application to identify as the Service Principal the certificate represent. The Service Principal will have been granted access to the keys in the vault, so your code should only focus on getting the right secrets.

I cant do jack with certificates 

When you don't have full access to the server, or at least cant install or access certificates, we are back at the "fallback" way of accessing your Key Vault, which is a ClientId and a Client Secret. Code for how to do this can be found in Part 3.


That is it - I didn't expect this post to be so short, but during writing I noticed that the previous posts covered the topic in full.

Azure Key Vault series index

  1. Intro
  2. Creating and accessing Azure Key Vault
  3. Get secrets from Azure Key Vault in your app
  4. Client Id/ApplicationId vs Certificate based access
  5. Using Azure Key Vault from an Azure Web App
  6. Using Azure Key Vault with Azure Functions
  7. Using Azure Key Vault from a Virtual Server (you are reading it)
  8. Using Azure Key Vault in Azure DevOps
  9. Using Azure Key Vault in Umbraco
  10. Using Key Vault in an Umbraco site
  11. Using Key Vault in an Umbraco Cloud site