You have multiple Azure virtual machines that need to access the same Azure Key Vault to retrieve certificates. You want to minimize administrative overhead while ensuring each VM can authenticate without managing credentials. Which identity type should you use?
Trap 1: System-assigned managed identity on each VM
Each VM gets its own identity, requiring you to grant Key Vault access to each identity individually, increasing management overhead.
Trap 2: Service principal with client secret stored in each VM
Service principals require managing client secrets, which adds security risk and overhead.
Trap 3: Storage account key
Storage account keys are for Azure Storage authentication, not for accessing Key Vault.
- A
System-assigned managed identity on each VM
Why wrong: Each VM gets its own identity, requiring you to grant Key Vault access to each identity individually, increasing management overhead.
- B
User-assigned managed identity assigned to each VM
A single user-assigned identity can be assigned to all VMs. You grant Key Vault access once, reducing overhead.
- C
Service principal with client secret stored in each VM
Why wrong: Service principals require managing client secrets, which adds security risk and overhead.
- D
Storage account key
Why wrong: Storage account keys are for Azure Storage authentication, not for accessing Key Vault.