Exam AZ-304 topic 2 question 65 discussion

Given answer is correct

There is no "Create" or "Import" permission for Secrets, only "Set".

list Import

I say backup and import are the only 2 ways- or... use a read only copy in the other region- MS says you can't move a Secret to another region- or if you do- backup and import is it! https://docs.microsoft.com/en-us/azure/key-vault/general/move-region#prerequisites https://docs.microsoft.com/en-us/answers/questions/199024/how-to-copy-azure-keyvault-secrets-to-other-subscr.html

MS says you can't move a Secret to another region- or if you do- backup and import is it! https://docs.microsoft.com/en-us/azure/key-vault/general/move-region#prerequisites https://docs.microsoft.com/en-us/answers/questions/199024/how-to-copy-azure-keyvault-secrets-to-other-subscr.html Below is all a rabitt hole for cross region- use read only copy instead for cross region! This https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal Leads to this-Authenticate to key vault in code- https://docs.microsoft.com/en-us/azure/key-vault/general/authentication Leads to this Azure Key Vault developer's guide | Microsoft Docs

The question / answers are flawed. The question specifically asked "copy all the SECRETS" - not keys, not certificates. And for secrets, there is no "create" or "import" operations but only "set". Some may argue it is about the Key Vault it self, so "Create" is applicable. But KV2 has already been created. The only argument to make "Import" applausible is the text label used in Azure Portal. However, the label reads "Generate/Import". I guess I just need to roll the dice for this question.

I think it would be 'Import' for the second box: Import Key: 'Imports an externally created key, stores it, and returns key parameters and attributes to the client.' https://docs.microsoft.com/en-us/rest/api/keyvault/import-key/import-key Create key: 'Creates a new key, stores it, then returns key parameters and attributes to the client.' https://docs.microsoft.com/en-us/rest/api/keyvault/create-key/create-key Technically, both solutions are valid, but may be Import is more appropiate, becouse the key already exists. The Import key help page says ..'Imports an externally created key,...', so, in this case, the key has already been created, in the first vault.

1. List all keys 2. For each key, "Get Key" 3. For each response, "Import" Why is it Import and not Create? "Get Key" response is of type "KeyBundle" https://docs.microsoft.com/en-us/rest/api/keyvault/get-key/get-key#keybundle KeyBundle includes key of type "JsonWebKey". "Create Key" request body does not include JsonWebKey (it is not for pre-existing keys). https://docs.microsoft.com/en-us/rest/api/keyvault/create-key/create-key#request-body Import Key request body DOES include JsonWebKey. https://docs.microsoft.com/en-us/rest/api/keyvault/import-key/import-key#request-body

Working in PowerShell you would need to "import" the secrets into KV2. The first box is correct but perhaps the second box should be "import." Any rebuttal is welcome.

Given answers are correct.

I would go with List & Import If you check API response body for Get Key and Import Key, they match each other. But Create Key API request body needs more fields.

I would say List to copy from KV1 Import to copy to KV2