Nov 30, 2022
Nov 06, 2023
CMS Core
Closed, Acceptance tests pass
On DXP, clients can use KeyVault for data encryption and decryption. There are two ways for KeyVault authentication:
Currently, to add data protection for BLOB, clients call the AddDataProtectionToBlobStorage() extension method, which instantiates DefaultAzureCredentialOptions. The instance contains information about environment credentials and managed identity for KeyVault authentication. By default, environmental credentials are prioritized first, and then, if the authentication fails, the managed identity started to be used. This causes an inconvenience for clients because they prefer using managed identity (more modern and popular than environment credentials).
By default, you should ignore environmental credentials in authentication and instead, use managed identity by creating the instance by using the following code line in the extension method:
{{new DefaultAzureCredentialOptions
{ ExcludeEnvironmentCredential = true }}}