Connecting Entity Framework to Key Vault with Package Manager Console

Question

I changed my appSettings.config to no longer have connection strings as they are now all in Azure Key Vault. I was able to connect no problem, but now when I try to create the db using EF code first migrations in a new azure db using:

add-migration InitialCreate

I am getting the error:

Value cannot be null.
Parameter name: connectionString

Startup.cs

   public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        // Add functionality to inject IOptions<T>
        services.AddOptions();

        // Other configurations here such as for Blob and Notification hub
        //
        //

        services.AddDbContext<ObContext>(opt =>
            opt.UseSqlServer(Configuration["obdbqauser"]));

My Program.cs looks like this

public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
    WebHost.CreateDefaultBuilder(args)
        .ConfigureAppConfiguration((context, config) =>
            {
                //TODO: Seperatre dev and pro - if (context.HostingEnvironment.IsProduction())
                var buildConfig = config.Build();
            //Create Managed Service Identity token provider
            var tokenProvider = new AzureServiceTokenProvider();

            //Create the Key Vault client
            var keyVaultClient = new KeyVaultClient(
                new KeyVaultClient.AuthenticationCallback(
                    tokenProvider.KeyVaultTokenCallback));

            config.AddAzureKeyVault(
                $"https://{buildConfig["VaultName"]}.vault.azure.net/",
                keyVaultClient,
                new DefaultKeyVaultSecretManager());
        })

Answer 1

Here is a sample for how you can configure Key Vault as a configuration source in ASP.NET Core 2.x:

public static IWebHost BuildWebHost(string[] args) =>
    WebHost.CreateDefaultBuilder(args)
        .UseStartup<Startup>()
        .ConfigureAppConfiguration((ctx, builder) =>
        {
            //Build the config from sources we have
            var config = builder.Build();
            //Add Key Vault to configuration pipeline
            builder.AddAzureKeyVault(config["KeyVault:BaseUrl"]);
        })
        .Build();

and a configuration would be like below:

services.AddDbContext<dbContext>(async options => 
        {
            var keyVaultUri = new Uri("https://xxxxxxxxx.vault.azure.net/");
            var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
            SecretBundle connectionStringSecret = await keyVaultClient.GetSecretAsync(keyVaultUri + "secrets/DBConnectionString");
            options.UseSqlServer(connectionStringSecret.Value);
        });

You'll need Microsoft.Extensions.Configuration.AzureKeyVault to get the configuration provider for Key Vault.

The secret naming in Key Vault will matter. For example, we will override the following connection string:

{
  "ConnectionStrings": {
    "DefaultConnection": "..."
  }
}

You would have to create a secret named ConnectionStrings--DefaultConnection with the connection string as the value.

Then while configuring you just use Configuration["ConnectionStrings:DefaultConnection"] to get the connection string. It'll come from Key Vault if Key Vault config was added and a secret with the right name was found.

For reference , please take a look at this link.

https://entityframeworkcore.com/knowledge-base/53103236/azure-keyvault-for-dbcontext---no-database-provider-has-been-configured-for-this-dbcontext-

Hope it helps.