Azure KeyVault your ASP.NET

Published on Friday, December 2, 2016

I am sure there are many projects with protected secrets and keys, and many more that should. One of the main hindrances of key protection is ease of use. Often teams skip over security features because of the time it would take away from building functionality.

With that I wanted to outline a very quick and easy way to start consuming secrets in a KeyVault store.

Note: The regular documentation for using KeyVault in an ASP.NET page can be found here.

Microsoft Extensions Configuration

Microsoft.Extensions.Configuration (GitHub) is a .NET Core project to help users manage configuration settings from a variety of sources. You can load JSON, XML, INI, and even Cmdline Args.

Fortunately the libraries target both .NETStandard 1.5 and .NETFramework 4.5.1, so they can be used in your existing ASP.NET projects.

Microsoft.Extensions.Configuration.AzureKeyVault (NuGet) adds a UseAzureKeyVault extension method to the base library.

Implementing this is very easy.

var builder = new ConfigurationBuilder();

builder.AddAzureKeyVault(
	ConfigurationManager.AppSettings["Vault"],
	ConfigurationManager.AppSettings["ClientId"],
	ConfigurationManager.AppSettings["ClientSecret"]);

config = builder.Build();

Then to access the secret.

config["ConnectionStringKey"];

Web.config

<add key="ClientId" value="" />
<add key="ClientSecret" value="" />
<add key="Vault" value="https://{name}.vault.azure.net" />

Where ClientId is the Guid for the Azure AD Application with authorized access to the Azure KeyVault. ClientSecret is the secret key generated by the AD Application for service level authentication.

More Details on KeyVault access setup here.

Resources