CODEWITHSUNDEEP
c#.netazureazure-keyvaultmicrosoft-identity-web
Aferrercrafter
Aferrercrafter

Reputation: 439

App Settings config section from Azure Key Vault

I'm implementing AAD authentication on a Net5 API with the new library Micorosft.Identity.Web The library exposes a method that only accepts an IConfiguration with a section that looks like below in the app.settings

Authentication method from Micorosft.Identity.Web on Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    ...
    services.AddMicrosoftIdentityWebApiAuthentication(Configuration, "AzureAd");
    ...
}

app.settings.json

"AzureAd": {
    "Domain": "contoso.com",
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "00000000-0000-0000-0000-000000000000",
    "ClientId": "00000000-0000-0000-0000-000000000000"
 },

Now, the problem is, I'm using Azure to deploy this API, and of course all of this sensitive values are stored in Key Vault. So, I want to find a way of doing this:

services.AddMicrosoftIdentityWebApiAuthentication(new Configuration {
    Domain   = KeyVaultClient.GetSecret("domain"),
    Instance = KeyVaultClient.GetSecret("instance")
    TenantId = KeyVaultClient.GetSecret("tenant")
    ClientId = KeyVaultClient.GetSecret("client")
});

And at the same time, I don't find a way of creating this 'section' at a KeyVault so I'm able of doing this

services.AddMicrosoftIdentityWebApiAuthentication(KeyVaultClient.GetSecret("azureadconfig"));

How can I archive one of these options, or how can I avoid depending on the app.settings if I have all my values on Key Vault

EDIT NOTE

I have the Key Vault as a Configuration Provider, but I don't know how to return those values in a Section way, as the methods is expecting

Upvotes: 8

Views: 5214

Answers (2)

silent
silent

Reputation: 16108

You can use double dashes in your Key Vault secret names and .NET will treat those as sections. secretname: Section--Itemname

Upvotes: 15

juunas
juunas

Reputation: 58723

First off, none of those values is exactly a secret. So they don't necessarily need to be in Key Vault.

But if you want them there anyway, you need to add the Key Vault as a configuration provider. Then Key Vault secrets will be available through IConfiguration like the settings from appsettings.json.

I wrote an article on the topic (using Managed Identity to connect to Key Vault too): https://joonasw.net/view/aspnet-core-azure-keyvault-msi.

Upvotes: 3

Related Questions