Store Secrets on .NET Core and Azure during development
Azure Key Vault is the intended place where to store secrets on Azure without having to check them in source control.
Managed Identities
Managed identities allow Azure resources to access other resources without the need for them to authenticate.
The authentication is implemented inside Azure resources and is delivered transparently to our applications.
Authentication
Authentication to a Key Vault is performed by using your organisation tenant’s AD that gets bound to the resource on creation.
For App Services, turning on managed identities is possible by using the following setting:
Once this step is done, the app service will have a user-created inside the tenant’s AD and will be linkable from the key vault.
Authorisation
Authorization happens by creating a policy inside a key vault and by referencing the identity from it.
Read a secret from a .NET Core application
I will use the same application that I used in the previous article. I showed in there to show how to store secrets during development.
Starting from where I left I will now reference the nuget packages “Microsoft.Azure.KeyVault”, “Microsoft.Azure.Services.AppAuthentication” and “Microsoft.Extensions.Configuration.AzureKeyVault”.
I will then configure the packages from the “Program.cs”.
I will then add the same setting used in the previous article “Settings:Secret” secret into the Key Vault. In order to store hierarchical secrets inside the Key Vault, we will need to replace the colon with two dashes:
Deploy and Test
After checking that the application has the “ASPNETCORE_ENVIRONMENT” set to “Production”
I will deploy the application an see the result:
Using the development deployment slot instead will pick the setting:
Conclusions
Azure Key Vault integrates seamlessly with .NET Core, is easy to configure and allows to safely store all your secrets in a central point accessible from all your applications.
Useful Links
Here — Repeating what done in here in classic .NET
