Summary

The website content provides a tutorial on integrating Azure Keyvault with a .NET application to securely manage and access sensitive settings and secrets.

Abstract

The article emphasizes the importance of not storing sensitive information like API keys and passwords in source control. It offers a step-by-step guide on how to use Azure Keyvault to manage these secrets and integrate them with an application's configuration. The tutorial covers setting up a Keyvault in Azure, storing secrets, and configuring a .NET application to access these secrets as if they were part of the appsettings.json file. It includes instructions on installing the necessary NuGet package, modifying the program.cs to add Azure Keyvault as a configuration provider, and demonstrates how to retrieve the secrets in the code. The article also touches on the .NET configuration hierarchy, the use of the options pattern for typed settings, and how to handle hierarchical configurations using double dashes as delimiters in Keyvault. It concludes by explaining the order in which .NET loads configuration settings and how later configurations can override earlier ones.

Opinions

The author expresses that managing secrets with Azure Keyvault is an "awesome" solution for keeping sensitive information organized and secure in one place.
The author suggests that using the Keyvault client directly is not necessary, advocating instead for extending the existing configuration provider to seamlessly integrate Keyvault secrets.
The author indicates a preference for using environment-specific Keyvault instances, which can be configured in the appsettings.json file.
The author finds the .NET configuration providers' feature of overriding settings (with the last loaded provider taking precedence) to be a useful aspect of the framework.
The author believes that the tutorial will be helpful to readers, implying that the provided instructions are clear and beneficial for managing application secrets effectively.

Enrich your appsettings.json with values from Azure Keyvault

It is not a good idea to check in your secret API keys, passwords, tokens,… in your source control. And because I kept on struggling with managing secrets and passwords for my solution… Here is a small tutorial on how to load settings from keyvault.

Keyvault is an awesome tool to manage passwords , api keys and other secrets for your solution. It also helps you to keep things organized and store all secrets in one place!

In this tutorial we are not going to fetch secrets from keyvault by using the keyvault client. Instead we are going to extend our existing configuration provider so the values defined in keyvault can be used as appsettings!

Setting up the keyvault

First of, we need a keyvault on Azure with some secrets in it. In the keyvault create a new secret and call it test. I’m going to give it topsecret as value.

Copy the uri of your keyvault instance. In our appsettings.json create a new setting KeyVaultName and set the name of your keyvault as value. The name of your keyvault is anything before the vault.azure.net url. So if my keyvault url is mytestblog.vault.azure.net the name would be mytestblog.

Accessing the keyvault in our project

We are going to add the keyvault as configuration provider. This means that all secrets defined in the keyvault will be available as config in our project. Later on, we can access these values just like we would access values defined in our appsettings.json

We need to install the Azure.Extensions.AspNetCore.Configuration.Secrets nuget package in order to access our secrets. Install it through the nuget package manager

Now in our program.cs we will add Azure Keyvault as a configuration provider by using the ConfigureAppConfiguration method. We will also fetch the name of our keyvault, that we configured before, from our appsettings.json so that we can use a different keyvault instance for each environment.

var builtConfig = config.Build();
var secretClient = new SecretClient(
           new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
           new DefaultAzureCredential());
config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());

Your method should now look like this:

        public static IHostBuilder CreateHostBuilder(string[] args)
        {
            return Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder
                        .UseSerilog()
                        .CaptureStartupErrors(true)
                        .UseStartup<Startup>();
                }).ConfigureAppConfiguration((context, config) =>
                {
                    var builtConfig = config.Build();
                    var secretClient = new SecretClient(
                        new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
                        new DefaultAzureCredential());
                    config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
                });
        }

For this tutorial I’m using .NET 5. Going from .NET 6 and onward the way program.cs and startup.cs works is slightly different. But you should still be able use this syntax.

Let’s try it out

If all went well you can now fetch the value of the test secret we created before in our code like this:

var testSetting = Configuration["test"];

The variable should have topsecret as value.

We extended the existing configuration provider. Any setting we define in our keyvault can now be accessed in our .NET solution. Either by using the syntax above, but also by using the option pattern.

var apimOptions = Configuration.GetSection(ConfigurationKeys.Apim.RootSection).Get<ApimOptions>();

I’m not going to go in detail on the options pattern in this tutorial, but the code above would allow you to use typed settings.

If you want to configure objects with a hierarchy in your keyvault you have to use a double dash as a delimiter.

For example this json setting:

"ConnectionStrings": {
    "MyDatabase": "connectionstring-o.azure.com",
}

would become this in keyvault:

ConnectionStrings--MyDatabase

By default there are many ways to configure settings for your app: the appsettings.json file, user secrets, environment variables.. And now also the Azure keyvault! Note that .NET has a default order of loading in settings:

appsettings.json
appsettings.{Environment}.json
secrets.json (if in Development environment specifically)
Keyvault (added in this tutorial)
Environment variables
Command line arguments

You can read more about this in the Microsoft docs.

The latest one loaded in “wins” meaning: if you define a setting both in appsettings.json and your keyvault, the value defined in your keyvault will be used.

I hope you found this article helpful :)

You can read more on the features of the keyvault configuration provider here