C
C#•12mo ago
RodF

I'm working to get secrets out of our source code, into Azure Key Vault.

I had been following a LinkedIn Learning course from some years ago, but I think the state of technology has moved on from when that course had been made. So, then I searched for something more up to date. I found an article in Microsoft Learn on how to configure Azure Key Vault to manage secrets. I downloaded the AspNetCore.Docs repo as a .zip file, expanded it and went to the KeyVaultConfigurationSample. Following along in the MS Learn doc I came across this sentence:
The Managed version of the sample must be deployed to Azure.
There is NO WAY that is going to happen, in my work environment. I doubt that there were be many apps that will be deployed to Azure. I'm just trying to get the secrets into Azure Key Vault, then all developers (including myself) can build locally and deploy to Intranet sites within our network. What do I need to do to make this work, with Azure Key Vault and websites within our domain? Here's the URL to the MS Learn course: https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-8.0
Azure Key Vault configuration provider in ASP.NET Core
Learn how to use the Azure Key Vault configuration provider to configure an app using name-value pairs loaded at runtime.
11 Replies
Pobiega
Pobiega•12mo ago
Just a keyvault. You can then connect to the keyvault using a cert to authenticate and from there yuo have access to the certs/keys/secrets in the vault.
using System.Security.Cryptography.X509Certificates;
using Azure.Identity;

var builder = WebApplication.CreateBuilder(args);

if (builder.Environment.IsProduction())
{
using var x509Store = new X509Store(StoreLocation.CurrentUser);

x509Store.Open(OpenFlags.ReadOnly);

var x509Certificate = x509Store.Certificates
.Find(
X509FindType.FindByThumbprint,
builder.Configuration["AzureADCertThumbprint"],
validOnly: false)
.OfType<X509Certificate2>()
.Single();

builder.Configuration.AddAzureKeyVault(
new Uri($"https://{builder.Configuration["KeyVaultName"]}.vault.azure.net/"),
new ClientCertificateCredential(
builder.Configuration["AzureADDirectoryId"],
builder.Configuration["AzureADApplicationId"],
x509Certificate));
}

var app = builder.Build();
using System.Security.Cryptography.X509Certificates;
using Azure.Identity;

var builder = WebApplication.CreateBuilder(args);

if (builder.Environment.IsProduction())
{
using var x509Store = new X509Store(StoreLocation.CurrentUser);

x509Store.Open(OpenFlags.ReadOnly);

var x509Certificate = x509Store.Certificates
.Find(
X509FindType.FindByThumbprint,
builder.Configuration["AzureADCertThumbprint"],
validOnly: false)
.OfType<X509Certificate2>()
.Single();

builder.Configuration.AddAzureKeyVault(
new Uri($"https://{builder.Configuration["KeyVaultName"]}.vault.azure.net/"),
new ClientCertificateCredential(
builder.Configuration["AzureADDirectoryId"],
builder.Configuration["AzureADApplicationId"],
x509Certificate));
}

var app = builder.Build();
this is almost exactly how we do it at work
RodF
RodFOP•12mo ago
Thank you!!
Pobiega
Pobiega•12mo ago
its just a code snippet from the article you linked 😛
RodF
RodFOP•12mo ago
Aw! I'm sorry, I didn't get far enough into it to have seen that. I was stopped by that Azure-only business.
RodF
RodFOP•12mo ago
I've got a clarification question for you. At this point I don't see us using certificates, like the X509 referenced in the C# code. Can I just skip that, or is the C509 requrired?
Pobiega
Pobiega•12mo ago
How do you plan to authenticate your access to the vault?
RodF
RodFOP•12mo ago
I thought that was being handled through the App Registration. Then I'd put the client secret into the appSettings.json file. At least that's how the LinkedIn Learning course handled it
Pobiega
Pobiega•12mo ago
¯\_(ツ)_/¯ Might be possible
RodF
RodFOP•12mo ago
OK, I'll give that a try. But if it doesn't, then I have the code snippet you provided. Thank you again!! 🙂
aquaritek
aquaritek•11mo ago
I recently had some issues with this and if you're using RBAC with your Key Vault and your developers have Entra Identities and use those to log into Visual Studio or VSCode then you're already done and don't need any fancy setup. You can use the Azure.Identity nuget with it's DefaultAzureCredential() type used like this: var azureSettings = builder.Configuration.GetSection("Azure"); builder.Configuration.AddAzureKeyVault( new Uri($"https://{azureSettings["KeyVault"]}.vault.azure.net/"), new DefaultAzureCredential()); DefaultAzureCredential will grab the identity registered in visual studio and access the resource. You need to be mindful of your network layer of course but that's a different topic. This allows developers to only need the Key Vault Name in the appsettings.json and bobs your uncle. You will need to provision in the Azure Key Vault IAM each of the developers or even a group with access writes to the key vault but that is extremely easy. Clean as a whistle and doesn't require any certificate management at all. Some source content: https://github.com/Azure/azure-sdk-for-net/blob/Azure.Extensions.AspNetCore.Configuration.Secrets_1.3.1/sdk/identity/Azure.Identity/README.md

Did you find this page helpful?