I am trying to understand the security benefits that Azure Key Vault would offer (or equally AWS KMS)
I understand the benefits of key management, of being able to easily rotate, change, audit key access.
What perplexes me a little though is how it is more secure.
As I understand it, if I develop a web application and want to protect my connection string (for instance) I can create a key pair in Key Vault and save it there. I then create an application in AAD, and use the client ID/Secret/URI to authenticate to Key Vault to obtain my connection string. There is also the possible benefit of restricting that further by Resource Group.
However this now means I have a client ID/Secret/URI to protect.
How is this better?
P.S. I'm not a developer! I just like to poke around in these things to understand them from a devops point of view. So if you could aim your answer at the typical clueless ops guy, that would be appreciated ;)