One fine day you have a .NET Core 3.1 project that needs to run Key Vault. But if you keep reading the document and don’t understand, then read this article.
What is Azure Key Vault
Azure Key Vault is a service that stores keys and configs for websites. To increase security, often only keys with a key or password can be used, and its cost is not cheap. To use it is also very simple if you understand how it works.
Azure Key Vault does not have a config for you to integrate directly into the project, to use you must create an App Registration, and in Azure Key Vault you proceed to grant the App Registration permission to use. You use the App Registration config to configure the project.
The content of my article just gives how it works, but in terms of details and images, people click on the original link at the bottom of the post.
Sign up for Azure Key Vault
In Azure Portable -> Find Azure key vault proceed to fill in the required information to initialize.
Register app for keyvault
Look for ” App Registration ” in the list of apps for Azure. Proceed to create the App name, after success you will get the Application (client) ID ( This is the Client ID used for the keyvault later ) Go to Certificates & secrets to create the Client secret used for keyvault.
Generate secret keys for Azure Key Vault
In Azure Keyvault go to the Secrets tab , create the desired secrect keys, note if hierarchical type
1 2 3 4 | "RedisCache": { "ConnectionString": "localhost:6379, <a class="__cf_email__" href="/cdn-cgi/l/email-protection">[email protected]</a> @123,ssl=false,abortConnect=False" }, |
You create the key under: RedisCache – ConnectionString , for each nested level, you add – before each config name. When needed, you can go here to update the new config.
Attach Azure Key Vault to the App
Normally, Azure Keyvault does not have a config for you to configure in your project, but you must assign permission to another App to use Key Vault and use Client Id, and Secret key from that app to configure in project. On Azure Keyvault -> Access policies -> Add Access Policy
- Conduct additional permissions for the App Usually set is: get, set, list, delete In the principal proceed to select the App you created in App Registration above.
Configure Azure Key Vault on .NET Core 3.1
Install packages for .NET Core 3.1 project
Install the packages above to allow Project to load Azure keyvault
- Microsoft.Azure.KeyVault
- Microsoft.Extensions.Configuration.AzureKeyVault
Create config on appsettings.json
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | { "ConnectionStrings": { "DefaultConnection": "Data source=bookstore.db" }, "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "KeyVault": { "Vault": "keyvault-dd", "ClientId": "4d1a3g60-dt7d-429w-a4p7-zbc4d2838d5e", "ClientSecret": "n1nrHDk4-ik_2L-vLvTVrd_7_shnd~BYP3" }, "AllowedHosts": "*" } |
Look at the keyvault’s config with the following information:
- Vault: The name of the Keyvault name in Azure Keyvault
- ClientID: The Client Id of the application associated with the keyvault ( App Registration )
- ClientID: Client secrect of the application associated with the keyvault ( App Registration )
Write load data from key vault for project
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | public class Program { public static void Main(string[] args) { var configuration = new ConfigurationBuilder() .SetBasePath(Directory.GetCurrentDirectory()) .AddJsonFile("appsettings.json") .Build(); //Create the Serilog logger, and configure the sinks Log.Logger = new LoggerConfiguration() .MinimumLevel.Debug() .MinimumLevel.Override("Microsoft", LogEventLevel.Information) .Enrich.FromLogContext() .WriteTo.Console() .ReadFrom.Configuration(configuration) .CreateLogger(); // Wrap creating and running the host in a try-catch block try { Log.Information("Starting host"); CreateHostBuilder(args).Build().Run(); } catch (Exception ex) { Log.Fatal(ex, "Host terminated unexpectedly"); } finally { Log.CloseAndFlush(); } } public static IHostBuilder CreateHostBuilder(string[] args) => Host.CreateDefaultBuilder(args) .ConfigureAppConfiguration((context, config) => { var root = config.Build(); config.AddAzureKeyVault($"https://{root["KeyVault:Vault"]}.vault.azure.net/", root["KeyVault:ClientId"], root["KeyVault:ClientSecret"]); }) .UseSerilog() .ConfigureWebHostDefaults(webBuilder => { webBuilder.UseStartup<Startup>(); }); } |
Note the paragraph:
1 2 3 4 5 6 | .ConfigureAppConfiguration((context, config) => { var root = config.Build(); config.AddAzureKeyVault($"https://{root["KeyVault:Vault"]}.vault.azure.net/", root["KeyVault:ClientId"], root["KeyVault:ClientSecret"]); }) |
This paragraph will load the config of Azure Keyvault for you to use. When you need to call a used config key, the system will check that the keyvault will not be returned, otherwise the system will load from appsettings.json for you.
1 2 3 4 5 6 7 8 9 | private readonly IConfiguration _config; public UserRepositories(IConfiguration config) { _config = config; string mainUrl = _config["Links:Website"]; } |
Each time config calls use IConfiguration to get the corresponding key.
Conclude
- Using Azure Keyvault is not difficult, but you have not envisioned the configuration to get Client ID, Client Secret for the system.
- Not every key you use keyvault, that will make too many unnecessary keys, difficult to remember. Only used for keys related to encryption, passwords, important tokens.
- Azure Keyvault costs, for an individual user I recommend not to use because of the cost. If you try it out, don’t forget to delete the project if the test is complete, otherwise it will be charged.
Reference link: I have read through many tutorials or videos, I see the link below is full of information and easy to understand for your config. I have used the content in the link below
https://dotnetdetail.net/key-vault-secrets-in-asp-net-core-3-1/