C
C#•5mo ago
RodF

I'm working to get secrets out of our source code, into Azure Key Vault.

I had been following a LinkedIn Learning course from some years ago, but I think the state of technology has moved on from when that course had been made. So, then I searched for something more up to date. I found an article in Microsoft Learn on how to configure Azure Key Vault to manage secrets. I downloaded the AspNetCore.Docs repo as a .zip file, expanded it and went to the KeyVaultConfigurationSample. Following along in the MS Learn doc I came across this sentence:
The Managed version of the sample must be deployed to Azure.
There is NO WAY that is going to happen, in my work environment. I doubt that there were be many apps that will be deployed to Azure. I'm just trying to get the secrets into Azure Key Vault, then all developers (including myself) can build locally and deploy to Intranet sites within our network. What do I need to do to make this work, with Azure Key Vault and websites within our domain? Here's the URL to the MS Learn course: https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-8.0
Azure Key Vault configuration provider in ASP.NET Core
Learn how to use the Azure Key Vault configuration provider to configure an app using name-value pairs loaded at runtime.
11 Replies
Pobiega
Pobiega•5mo ago
Just a keyvault. You can then connect to the keyvault using a cert to authenticate and from there yuo have access to the certs/keys/secrets in the vault. 
using System.Security.Cryptography.X509Certificates;
using Azure.Identity;

var builder = WebApplication.CreateBuilder(args);

if (builder.Environment.IsProduction())
{
    using var x509Store = new X509Store(StoreLocation.CurrentUser);

    x509Store.Open(OpenFlags.ReadOnly);

    var x509Certificate = x509Store.Certificates
        .Find(
            X509FindType.FindByThumbprint,
            builder.Configuration["AzureADCertThumbprint"],
            validOnly: false)
        .OfType<X509Certificate2>()
        .Single();

    builder.Configuration.AddAzureKeyVault(
        new Uri($"https://{builder.Configuration["KeyVaultName"]}.vault.azure.net/"),
        new ClientCertificateCredential(
            builder.Configuration["AzureADDirectoryId"],
            builder.Configuration["AzureADApplicationId"],
            x509Certificate));
}

var app = builder.Build();
using System.Security.Cryptography.X509Certificates;
using Azure.Identity;

var builder = WebApplication.CreateBuilder(args);

if (builder.Environment.IsProduction())
{
    using var x509Store = new X509Store(StoreLocation.CurrentUser);

    x509Store.Open(OpenFlags.ReadOnly);

    var x509Certificate = x509Store.Certificates
        .Find(
            X509FindType.FindByThumbprint,
            builder.Configuration["AzureADCertThumbprint"],
            validOnly: false)
        .OfType<X509Certificate2>()
        .Single();

    builder.Configuration.AddAzureKeyVault(
        new Uri($"https://{builder.Configuration["KeyVaultName"]}.vault.azure.net/"),
        new ClientCertificateCredential(
            builder.Configuration["AzureADDirectoryId"],
            builder.Configuration["AzureADApplicationId"],
            x509Certificate));
}

var app = builder.Build();
this is almost exactly how we do it at work
RodF
RodF•5mo ago
Thank you!!
Pobiega
Pobiega•5mo ago
its just a code snippet from the article you linked 😛
RodF
RodF•5mo ago
Aw! I'm sorry, I didn't get far enough into it to have seen that. I was stopped by that Azure-only business.
Pobiega
Pobiega•5mo ago
RodF
RodF•5mo ago
I've got a clarification question for you. At this point I don't see us using certificates, like the X509 referenced in the C# code. Can I just skip that, or is the C509 requrired?
Pobiega
Pobiega•5mo ago
How do you plan to authenticate your access to the vault?
RodF
RodF•5mo ago
I thought that was being handled through the App Registration. Then I'd put the client secret into the appSettings.json file. At least that's how the LinkedIn Learning course handled it
Pobiega
Pobiega•5mo ago
¯\_(ツ)_/¯ Might be possible
RodF
RodF•5mo ago
OK, I'll give that a try. But if it doesn't, then I have the code snippet you provided. Thank you again!! 🙂
aquaritek
aquaritek•4mo ago
I recently had some issues with this and if you're using RBAC with your Key Vault and your developers have Entra Identities and use those to log into Visual Studio or VSCode then you're already done and don't need any fancy setup. You can use the Azure.Identity nuget with it's DefaultAzureCredential() type used like this: var azureSettings = builder.Configuration.GetSection("Azure"); builder.Configuration.AddAzureKeyVault( new Uri($"https://{azureSettings["KeyVault"]}.vault.azure.net/"), new DefaultAzureCredential()); DefaultAzureCredential will grab the identity registered in visual studio and access the resource. You need to be mindful of your network layer of course but that's a different topic. This allows developers to only need the Key Vault Name in the appsettings.json and bobs your uncle. You will need to provision in the Azure Key Vault IAM each of the developers or even a group with access writes to the key vault but that is extremely easy. Clean as a whistle and doesn't require any certificate management at all. Some source content: https://github.com/Azure/azure-sdk-for-net/blob/Azure.Extensions.AspNetCore.Configuration.Secrets_1.3.1/sdk/identity/Azure.Identity/README.md
Want results from more Discord servers?
Add your server
More Posts
Very specific question about AssemblyLoadContext and Assembly ResolutionSo a bit of context: I'm developing a plugin system for modding a game (hopefully this is allowed heCleaning out Maui TemplateIf I'm ONLY doing Blazor and no "native" Maui controls, what can I safely delete from the Maui BlazoHow to compile using a new build of .NETI had reported a bug that supposedly got recently squashed. Is there a way to test a recent build (nUsing Instances in Multiple LocationsWithin a Form I am creating an Instance of ```c# public Form() { EdgeDriver Driver = new(optiA small help in understanding structs:I am learning how to use structs and have a question. for this question I decided to write a small tAbout FutureHello, I am currently writing ERP projects with .net and since I want to improve myself a little morNo namespace = folder warnings in VSI don't get `IDE0130` warnings in my C# project (namespace does not match folder structure). Here'sHow to write retry policy in .netI have the below code which is called by a webhook. It does a post call to a cms which has a rate liwhy do we need IAsyncDisposable here?I found this and I don't understand why author use IAsyncDisposable instead of IDisposable. Can some✅ How to set enum default int valueHi everyone, I have an enum type. For example as below. Normally, the value of enums in the db start