About Azure key vault: https://docs.microsoft.com/en-us/azure/key-vault/basic-concepts
We - as well as many other - add signin information (either just username and password, or whole connection strings) to Azure key vault.
Example user scenario: You have a script that need to connect to a database and fetch some data. As you are concerned with security you do not want username and password to be written in the script. Instead you use a secret, stored in key vault, to get a connection string that the script can use.
You, as a user with access to keyvault, run the script. The script connects to keyvault and fetches the connection string and uses it to connect to the database. No password or username is floating around.
If the username or password changes, the connection string is updated in the keyvault and everything continues to work.
For Discovery Hub the scenario is mutch the same - so Discovery Hub should just store the reference to the keyvault and get the password (or the whole connection string) from the keyvault.
If the username or password changes - it is updated in the keyvault - and Discovery Hub will continue to work - as it get's the username/password from the key vault.
This would free us from needing to update username and password in Discovery Hub when needs to rotate or by other means change the passwords.
Best regards, Trond-Eirik