Ideally, the web application should not hold the secrets. The secrets should not be checked in into the source control. So, we can keep the secrets in the key vault. But there is new issue if this is done. How can the web application authenticates itself to access the secret ?
Managed identities is the solution. Managed identities help to authenticate Azure service. So, this will work if the application is deployed in Azure. But before deploying this app to Azure, the app will be in development.
During development, development team would still need to access the key vault for debugging the issues or writing new code which is supposed to use secrets from vault.
So, in this article, we will see how to keep the secrets in key vault and then how to access them during development from the visual studio.
Before we begin
For following all steps in this article, we will need Azure Subscription. If you don’t have an Azure subscription, create a free account before you begin.
Create Storage Account
In Azure Portal, go to Storage Accounts option from left navigation and then click on Add button. Below image shows the create storage account panel from Azure portal.
Create Web App
Let’s create a .NET Core web application (MVC) using Visual Studio. This application will have a file upload control on home page and a
FileUploadController which validates the files and upload them to Azure blob.
We need to add Azure.Storage.Blobs package to this web application.
Our application has three secrets, which are currently stored in
- AccountName, which holds the name of storage account
- ContainerName, which holds name of blob container
- Key, which holds the access key
Below is how the
appsettings.json should look like:
Below is the code from
startup to initialize that class from
If this application is run, it should be able to upload the documents to configured blob container. Next, let’s try to move these 3 values to key vault.
Create key vault
Follow steps in my blog post to create the key vault.
Below is the script which shows how to create the key vault and how to add secrets to it.
Add Secrets using Portal
Let’s also see how to add secrets using Azure portal.
Login to Azure Portal and open the key vault instance. Then select Secrets under Setting from left navigation of the key vault.
Next, click on Generate / Import button to add new keys / secrets. The new panel let’s you add secrets in the form of the name / value pairs.
In addition to name and value of secret, we can also set the activation date and expiration date on the secret. This dated values behavior makes the key rotation / replacement easy and hassle free.
There is one more input, enabled, which enables to enable or disable particular secret if something has to be disabled abruptly.
For the sake of this demo, add previously discussed secrets i.e. AccountName, ContainerName and Key values in the key vault.
Next, let’s see how to access these secrets from the Visual Studio.
Back in Visual Studio
So, let’s modify the solution so that the code is able to retrieve the secrets when it is executed in visual studio.
Add Connected Service
Right click on the project form solution explorer and then select Add -> Connected service option. It should present a screen as shown below.
Then select Secure Secrets with Azure Key Vault option. It will ask you to login. Login using the account which has Azure subscription.
On next panel, there is option to either create new key vault or use an existing one. Let’s select the existing vault which is created in previous step and then click on Add button to add the connected service.
Add NuGet Packages
In Solution Explorer, right-click on your project, and select Manage NuGet Packages. In the Browse tab, locate and install these two NuGet packages:
- only for .NET Core 2, add Microsoft.Azure.KeyVault
- only for .NET Core 3, add Microsoft.Azure.KeyVault.Core
Add App Configurations
New configurations should be added in Program.cs while creating the IHostBuilder instance. Below is the complete code from
Then remove secrets from
Run and Verify
Now, when the application is executed in the visual studio, the application is still able to reach the blob container and upload the files. That means, our application is able to read the secrets from Key Vault.
I hope you enjoyed this article. Let me know your thoughts.