Secret security in containerised environment
I've been having a discussion with a developer about storing sensitive information in environment variables. Specifically within a containerised environment such as Azures Container apps.
Background information
In container apps you are able to pass secrets during the container build process from the azure environment. These are then exposed as system wide env variables within the container.
My thought process here is that although the container configuration very much limits the risk it doesn't remove it completely. While there are very few running processes that would also be able to access the env variables, one of those processes is internet facing. Also anyone that can access the container environment in azure can access these secrets.
My preferred method is to obtain the secrets as needed from the Azure key vault, but this poses some technical code challenges.
Lots of frameworks, blogs and guides suggest that accessing this information from environment variables is fine. However I also get the sense that was because vaults are relatively new and it was just the best choice before.
Question:
Is storing secrets in environment variables secure as using a key vault?
