Reputation: 460
Use encrypted Azure credentials when initializing new SecretClient
I've been following this tutorial Azure Key Vault client library for .NET (v4) trying to learn about Key Vaults in desktop applications. I set up a Service Principal as instructed and gave it access to my Vault, and I was then successful in retrieving a secret using
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
string secretName = "test";
KeyVaultSecret secret = client.GetSecret(secretName);
but only after saving my AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID as Environment Variables.
What I would like to know is, could these three keys be encrypted within the Environment Variables and still be decrypted via the DefaultAzureCredential() method?
Alternatively, could these keys be stored somewhere else, decrypted locally and THEN be passed into the DefaultAzureCredential() method?
I tried playing around with the DefaultAzureCredentialOptions() overload, but there was no option for passing in the client secret...
I also tried building the token credential object in code using the Fluent.Authentication NuGet and passing that into the SecretClient constructor, but I got the error message
cannot convert from 'Microsoft.Azure.Management.ResourceManager.Fluent.Authentication.AzureCredentials' to 'Azure.Core.TokenCredential'
Is what I'm trying to do even possible? Or does Microsoft assume that the Environment Variables are a secure enough location for storing the unencrypted client id + secret?
Upvotes: 4
Views: 7956
Answers (1)
Reputation: 460
I was able to figure out the answer by going through Jim's documentation links: instead of the DefaultAzureCredential() method (which uses the Environment variables) i had to use ClientSecretCredential(), whose overload allows for specifying the tenantId, clientId and clientSecret:
var client = new SecretClient(new Uri(kvUri), new ClientSecretCredential(tenantId, clientId, clientSecret));
So now for additional security I can simply store these (encrypted) credentials on each dev machine's User Settings.
Upvotes: 8
Related Questions
- Creating and disposing SecretClient
- How to set Key Vault integration in MVC Asp.net application for connection string per environment
- Accessing Azure KeyVault secrets only with a certificate installed on the machine
- Programatically SetSecrets to Key Vault in C# using DefaultAzureCredential()
- SecretClient - get secret from azure KeyVault
- How to set a secret in Azure Key Vault from a local asp.net application
- Azure KeyVault Secret Get Throws Authentication Error
- How to authenticate app with Azure Key Vault without storing keys in code or appconfig?
- Azure Key Vault Environmental Variables
- Fetching secrets from keyVault from Azure in c#