When App Configuration creates such keys, it stores the URIs of Key Vault values rather than the values themselves.

In this case, the values stored in App Configuration are URIs that reference the values in the Key Vault. They are not Key Vault values or credentials.

Secretsare any sequence of bytes under 10 KB like connection strings, account keys, or the passwords for PFX (private key files). An authorized application can retrieve a secret for use in its operation.

Keysinvolve cryptographic material imported into Key Vault, or generated when a service requests the Key Vault to do so. An authorized cloud service can request the Key Vault perform one or more cryptographic operations with a key on its behalf.

An Azure Key Vault certificateis simply a managed X.509 certificate. What’s different is Azure Key Vault offers life cycle management capabilities. Like Azure Keys, a service can request Azure Key Vault to create a certificate. When Azure Key Vault creates the certificate, it creates a related private key and password. The password is stored as an Azure Secret while the private key is stored as an Azure Key. Expired certificates can roll over with notifications before these operations happen.

Secrets Management- Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets

Key Management- Azure Key Vault can also be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.

Certificate Management- Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.

使用secrets 参考文章：

https://docs.microsoft.com/en-us/java/api/overview/azure/keyvault-secrets-spring-boot-starter-readme?view=azure-java-stable

项目遇到难点： 

1.与spring boot 版本兼容问题。

      <groupId>org.springframework.boot</groupId>

     <artifactId>spring-boot-starter-parent</artifactId>

     <version>2.1.3.RELEASE</version>

</parent>

         <groupId>com.microsoft.azure</groupId>

        <artifactId>azure-keyvault-secrets-spring-boot-starter</artifactId>

         <version>2.1.3</version>

  </dependency> 

<dependency>

         <groupId>com.microsoft.azure</groupId>

         <artifactId>azure</artifactId>

          <version>1.23.0</version>

  </dependency>

2.网络访问 

2020-11-18T06:26:59.678096731Z Caused by: com.microsoft.azure.keyvault.models.KeyVaultErrorException: 

Status code 403, {"error":

{"code":"Forbidden",

"message":"Client address is not authorized and caller is not a trusted service.\r\n

Client address: 52.149.164.134\r\n

Caller: appid=2b79ae32-283c-4eca-b49d-03a32913516f;

oid=540987c6-2171-460a-b5b3-d76c312b4f6b;

iss=https://sts.windows.net/513294a0-3e20-41b2-a970-6d30bf1546fa/;

xms_mirid=/subscriptions/07667224-a833-4bf5-8c68-f9192e70b812/resourcegroups/PZI-GXU2-N-RGP-MSHTR-D018/providers/Microsoft.Web/sites/ADV-DGL-CN-EUS-WAP-DEV-002\r\n

Vault: ADVDGLCNEUSKVADEV001;

location=eastus",

"innererror":{"code":"ForbiddenByFirewall"}}}

解决方法： 配置IP

Key  Vault service---》 networking ---》 加入被拒绝的IP地址

更多参考：

https://docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault

https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet

https://docs.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app

github例子： 

https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-keyvault-secrets

版本查询：

https://search.maven.org/artifact/com.microsoft.azure/azure-keyvault-secrets-spring-boot-starter/2.1.3/jar