Where to store passwords and ApiKeys for production ASP.NET
Hi, im new to publishing web apps in asp.net core and I dont understand where to store my connectionstring and my ApiKeys. Someone was saying Environment Variables like the one ASPNETCORE_ENVIRONMENT is set like so I made them exactly like that by selectiong my project => properties => debug => set env var.
But then someone else said that environment variables is not for production, is there different types of environment variables? Im so lost. ChatGPT said yesterday environment variables is for production, today it sais its only for development.
20 Replies
So with env variables I cant see or select the connectionstring when publishing the app
Configuration in ASP.NET Core
Learn how to use the Configuration API to configure AppSettings in an ASP.NET Core app.
I cant find where or how to store secrets in production
how are you deploying it?
https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts
https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
etc.
What is Azure Key Vault?
Learn how Azure Key Vault safeguards cryptographic keys and secrets that cloud applications and services use.
What is AWS Secrets Manager? - AWS Secrets Manager
AWS Secrets Manager is a web service that you can use to centrally manage the lifecycle of secrets.
im publishing the web app with import profile, I usually select the database to use but when using env variable the db connection string is not there
in this pic I can select the db and connectionstring bec I added them into appsettings but in production I was told I cannot have the secrets in appsettings
are you using a LocalDB instance in prod?
:pikawhat:
I changed it to the local db when I took the picture lol to not show my real db with password
Is Azure Key Vault a thing even tho im not hosting my web app with Azure?
then use your hosting equivalent
oh maybe they have their own, ill see, im using smarterasp.net
also, nowadays storing a static user/password in DB connection string is not a good practice
I see
take a look at the concept of "managed entities"
Maybe the best would be to switch to azure and use their key vault to ensure im doin best practise instead of some other cheap company lol
depending on the project complexity Azure services can be cheap
I see, Im building an project similar to an marketplace and in best scenario there will be maybe up to 2000 pictures uploading into it
for pictures you should use a storage container
don't bundle them into the project
oh thanks, so its not uploaded to the database?