ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-400 All Questions

View all questions & answers for the AZ-400 exam
Go to Exam

Exam AZ-400 topic 4 question 9 discussion

Actual exam question from Microsoft's AZ-400
Question #: 9
Topic #: 4
[All AZ-400 Questions]

You create a Microsoft ASP.NET Core application.
You plan to use Azure Key Vault to provide secrets to the application as configuration data.
You need to create a Key Vault access policy to assign secret permissions to the application. The solution must use the principle of least privilege.
Which secret permissions should you use?

  • A. List only
  • B. Get only
  • C. Get and List
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by kaikailiang at June 13, 2020, 3:03 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ttm_19
Highly Voted 5 years ago
Get only is enough. Tested!
upvoted 63 times
xRiot007
1 year, 11 months ago
Let's not be more catholic than the Pope, as the saying does. Get and List are both read only and to be used in the pipeline, where Get will fetch a specific key-value entry and List will fetch all entries : https://azuredevopslabs.com/labs/vstsextend/azurekeyvault/
upvoted 5 times
Kent_020
1 year, 8 months ago
Thank you!
upvoted 1 times
...
...
hipana8796
5 years ago
I think get alone would fail if you try to obtain all secrets from the KV.
upvoted 3 times
ttm_19
5 years ago
If you need to read/provide to the webapp a list of secrets at once - yes, it will need List as well. But do we need to provide such list, or just a specific secret on request? Tested with .netcore webapp (3.1), deployed to an App Service, retrieving values from 2 keyvault secrets. Values are defined as Application Settings in the App Svc, with a reference to the keyvault: @Microsoft.KeyVault(SecretUri= {uri to the secret here}) . And it worked with only GET permission!
upvoted 18 times
...
d0bermannn
3 years, 9 months ago
no way, we must to go step by step our honorabe coder stars to knew their exactly rights in system
upvoted 1 times
...
ttm_19
5 years ago
the scenario described by me is the most common - having a number settings and retrieving their values. Example: KeyVaultSecret secret1 = client.GetSecret("mySecret1"); KeyVaultSecret secret2 = client.GetSecret("mySecret2"); In fact, in the SecretsClient class (https://docs.microsoft.com/en-us/dotnet/api/azure.security.keyvault.secrets.secretclient?view=azure-dotnet) there is no method for listing available secrets (only the deleted ones).
upvoted 4 times
...
...
xRiot007
1 year, 11 months ago
Just to make myself undetstood. If a value should not be used by an APP, it should not exist in that Key Vault to begin with. We use a Key vault to secure values not from apps, but from malicious human actors.
upvoted 2 times
...
...
kaikailiang
Highly Voted 5 years ago
I think "Get and List" is the correct answer.
upvoted 9 times
prashantjoge
3 years, 2 months ago
When you want to access secrets: Ensure the Azure service connection has at least Get and List permissions on the vault. You can set these permissions in the Azure porta
upvoted 1 times
...
...
upliftinghut
Most Recent 4 days, 9 hours ago
Selected Answer: C
Reference Safiqee
upvoted 1 times
...
cma2109
6 months, 2 weeks ago
Selected Answer: B
I would say GET, The question mentions least privilege, Meaning the application should not have access to all the secrets, it should have access to only the particular secrect in need. Hence GET will be the least privilege even thought both are read only.
upvoted 2 times
...
shafiqeee
6 months, 4 weeks ago
Selected Answer: C
https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-7.0 11. Open Secret permissions and provide the app with Get and List permissions.
upvoted 3 times
...
Lubomir
7 months, 2 weeks ago
We use WebApp to access KV with Get and List permission for the secrets. After removing this permission and creating new to Get only (and restarting web app) I received error with list permission missing information. So I did it again, removed permission and created new to only list secrets and restarted web app, error changed to missing get permission (as expected). For me, we need both Get and List permissions.
upvoted 1 times
...
ozbonny
1 year, 4 months ago
Selected Answer: C
I think get and list C
upvoted 1 times
...
vsvaid
1 year, 6 months ago
Selected Answer: B
I think B as it is case of least privilege. No need for list
upvoted 1 times
...
thuvh
1 year, 7 months ago
Selected Answer: C
Get and List: https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-7.0
upvoted 1 times
...
Tyler2023
1 year, 9 months ago
The "get" permission is enough Get: This permission allows the application to retrieve (read) secrets from the Key Vault. It's typically the most basic permission you would grant to an application that needs access to secrets. List: This permission allows the application to list the names of secrets in the Key Vault. It doesn't provide access to the values of the secrets, only the names. You might need this permission if your application needs to discover the names of secrets dynamically.
upvoted 6 times
...
ieboaix
1 year, 10 months ago
C. Both Get and List are read-only and there is nothing less that read-only. based on https://learn.microsoft.com/en-us/answers/questions/133948/list-and-get-key-operations-in-azure-key-vault. I didnt see any less secure for list operation.
upvoted 1 times
...
yana_b
1 year, 10 months ago
Selected Answer: B
Get only
upvoted 3 times
...
flafernan
1 year, 11 months ago
B: within least privilege rules, by granting “Get only” permission, application will only be able to retrieve values of secrets from Azure Key Vault, but will not be allowed to list all secrets in Key Vault. This ensures that the application only has access to the specific secrets it needs, without excessive or necessary access to other secrets.
upvoted 2 times
...
icedog
2 years ago
Selected Answer: B
Well I use Get only on our platform B. is the correct answer
upvoted 2 times
...
zellck
2 years ago
Selected Answer: C
C is the answer. https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-key-vault?view=azure-devops&tabs=yaml#set-up-azure-key-vault-access-policies For Secret permissions, select Get and List.
upvoted 1 times
...
zellck
2 years ago
C is the answer. https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-key-vault?view=azure-devops&tabs=yaml#set-up-azure-key-vault-access-policies For Secret permissions, select Get and List.
upvoted 1 times
...
318touring
2 years, 1 month ago
Selected Answer: C
Get and List 1. Tested using this tutorial: https://azuredevopslabs.com/labs/vstsextend/azurekeyvault/ 2. Set Access Policy tin KV for the SP to Get only. The release returned this error: "does not have secrets list permission on key vault 'az400test;location=australiaeast'" 3. Added 'List' for the Access Policy for the SP, and the Release finished successfully
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel