Read time: 6 minutes
Today I’ll show you how to properly secure and access your .NET application secrets via Azure Key Vault.
You probably know you shouldn’t be storing API keys, connection strings, and passwords in your code, so hopefully you use something like the .NET Secret manager during local development.
But how to get ready to use those secrets in the cloud while keeping your code clean and following best practices?
Azure Key Vault is the solution for this and the best thing is that it integrates beautifully with ASP.NET Core, so you can retrieve those secrets as if you were reading your appsettings.json config values.
In this tutorial, I’ll walk you through the entire process step-by-step.
Let’s get started.
What is Azure Key Vault?
Azure Key Vault is a cloud-based service designed to store and securely manage application secrets.
It’s the right place to store your connection strings, API keys, and passwords, so they stay away from your code base, but you can also store encryption keys and certificates.
In addition, Key Vault can do:
- Versioning. Each time you update a secret, a new version is created, and your code can reference either the latest version or whichever previous version is needed.
- Access Control. Define granular permissions through Azure RBAC (Role-Based Access Control) to determine which users or applications can access specific secrets.
- Monitoring and Logging. Track who accessed secrets and when through detailed audit logs and Azure Monitor integration.
Let’s see how an ASP.NET Core app can read secrets from a Key Vault, step-by-step.
Step 1: Create your Key Vault
If you don’t have one already, you can quickly create a Key Vault from the Azure Portal by providing a name, a region, and your pricing tier:
Image may be NSFW.
Clik here to view.
Once created, the main detail you will need later in your app code is the vault URI, available in the Overview blade:
Image may be NSFW.
Clik here to view.
Next, you should configure your permissions.
Step 2: Add permissions
Key vaults are very secure by default. This means that even if you created the vault, you won’t be authorized to start adding secrets:
Image may be NSFW.
Clik here to view.
For this, go to the Access control blade, and assign yourself the Key Vault Secrets Officer role:
Image may be NSFW.
Clik here to view.
Now you are ready to start adding secrets to your vault.
Step 3: Create the secret
Let’s say we need to store our OpenAI API key in our Key Vault, which our app will use for all its generative AI needs.
Let’s add that secret on the Objects –> Secrets blade:
Image may be NSFW.
Clik here to view.
Why did we use that specific pattern, with double dashes in the middle, for the secret name?
Well, because that is a pattern that ASP.NET Core will be ready to recognize via the Key Vault Configuration Provider, making reading the secret a trivial task for our app.
So using the OpenApi–ApiKey secret name is essentially the same as adding this configuration to your appsettings.json file:
Image may be NSFW.
Clik here to view.
But of course, we won’t add anything to appsettings.json. Let’s see what we’ll do instead.
Step 4: Read the secret
Start by installing these two NuGet packages:
- Azure.Extensions.AspNetCore.Configuration.Secrets
- Azure.Identity
Now add this to Program.cs:
Image may be NSFW.
Clik here to view.
That will add your Key Vault as a new configuration source to your .NET application. From here on, any secrets in your vault can be read from the standard configuration system.
Which means we can do things like this:
Image may be NSFW.
Clik here to view.
Which at runtime looks like this:
Image may be NSFW.
Clik here to view.
Mission accomplished!
Step 5: Cloud deployment
There are several ways to deploy .NET Web apps to the cloud. I covered the simplest way last week, so I won’t repeat that here.
But to successfully use your Key Vault integration in the Azure cloud, you want to make sure you associate a managed identity with your deployed application, as I covered here.
Then grant that managed identity the Key Vault Secrets User role in your Key Vault:
Image may be NSFW.
Clik here to view.
And then your deployed app will have no trouble reading secrets into your app configuration, just like it did during local development.
I go over this entire process, for a real-world e-commerce application, in the bootcamp.
New Course Available April 15!
A couple of days ago I finished recording my new course, Azure for .NET Developers, which means I’m now going through the finishing touches to have it ready for launch on April 15!
This is the 4th bootcamp course, which builds on top of the 3 previous courses and aims to serve as an introduction to the Azure cloud specifically crafted for .NET developers.
A few of the top questions answered across the 11 modules included in this new course:
- What is Azure and how to shift to cloud computing?
- How to quickly deploy ASP.NET Core apps to Azure and access them over HTTPS?
- How to use Microsoft Entra to protect your app in Azure and to provide user login and registration?
- How to store files in the cloud and serve them with minimal delay to your clients?
- How to implement passwordless communication between your app and multiple Azure services?
- How to use a cloud-native PostgreSQL database in Azure?
- How to manage application secrets in the cloud?
Plus, in the last couple of modules, I show how to deploy both a Blazor (server) app and a React (SPA) app to Azure and how to connect them to your cloud-based backend API, to experience the full-stack application end-to-end in Azure.
All current bootcamp students will get this new course on April 15 at no additional cost.
More details coming next week.
Stay tuned!
Julio
Whenever you’re ready, there are 2 ways I can help you:
-
.NET Cloud Developer Bootcamp: Everything you need to build production-ready .NET applications for the Azure cloud at scale.
-
Promote your business to 20,000+ developers by sponsoring this newsletter.