Reputation: 2283
Easiest way to share development secrets in aspnetcore application
I want to store a development-time secret somewhere outside of my code repository, that developers are able to use without any manual tasks. (As close to Build, Run, and it will just work).
The secrets have to be configured in the aspnetcore Configuration Builder like this:
var builder = new ConfigurationBuilder();
builder.AddJsonFile("appsettings.json";
builder.AddDevelopmentSecrets(...);
The official recommendation by the aspnetcore team seems to be to use the Secret Manager Tool. But this requires every developer to configure the secrets manually. For example, they'd have to run dotnet user-secrets set key value for every secret.
The 2nd thing I looked at was Azure KeyVault. This seemed ideal, because I'd only have to call builder.AddAzureKeyVault(...). The only problem is that I'd have to store the clientId and clientSecret to access the keyvault somewhere.
Ideally I want something that the AWS Toolkit for Visual Studio extension does. Once the extension is installed, you simply login with your AWS credentials and the extension simply injects your credentials into every official AWS call that is used.
Does Azure have anything like this? Something that allows me to inject (or access) my Azure credentials, so they can be used in the call to AddAzureKeyVault(...)? And if not, what's the closest solution that comes close to this?
Upvotes: 4
Views: 1387
Answers (2)
Reputation: 2283
To extend on @juunas his answer: Visual Studio 15.5 was just released which makes this even easier. If you've logged onto your Azure account from Visual Studio (and you have installed the currently in preview Azure Services Authentication Extension), Visual Studio will simply take care of the Azure KeyVault authentication.
You only need to specify the KeyVault url in launchSettings.json under the environement variables. No need for Azure CLI, or the AppAuthentication library.
This even works on the full .NET Framework, not just ASP.NET Core.
See:
- General: https://blogs.msdn.microsoft.com/visualstudio/2017/11/17/managing-secrets-securely-in-the-cloud/
- ASP.NET Core Example: https://github.com/CawaMS/aspnetcore-msi-keyvault
Upvotes: 3
Reputation: 58743
Azure AD Managed Service Identity can help here. The implementation based on my suggestion:
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
builder.AddAzureKeyVault("https://x.vault.azure.net/", keyVaultClient, new DefaultKeyVaultSecretManager());
Now you can sign in to the Azure CLI 2.0 and those credentials will be automatically used to access KeyVault.
You can read more about MSI here: https://joonasw.net/view/azure-ad-managed-service-identity
Upvotes: 3
Related Questions
- Using .Net Core User Secrets for a Team
- .NET Core secrets on a production server when not hosting on Azure
- Storing production secrets in ASP.NET Core
- Visual Studio 2019 Dot Net 5 how to store user secret for the entire solution
- How can I store production secrets like connection string in ASP.Net Core 3.1 application, hosted on a shared server
- What is the recommended solution for user secrets storage in ASP.NET core in non-Azure production environment?
- Why should I use User secrets only in the Development environment?
- How to store production secrets in an ASP.NET Core 2.0 using environment variables?
- asp.net secrets in PROD
- Workflow for User Secrets in .netcore?