Azure KeyVault with .NET Core Web App – Part 1

Azure KeyVault with .NET Core Web App – Part 1

When it comes to security you can never bee too secure. Modern applications work with sensitive data and it is more important than ever to make sure that credentials are being well protected. When it comes to designing a web application I want to make sure that for any sensitive data (API keys, passwords, connections strings) the following is true:

  • Sensitive data is not stored on developers’ machines
  • Sensitive data is not committed into the source control
  • Keys/passwords can be rotated frequently and it is easy to do so

Having developed in Azure my choice is to use Azure KeyVault. I can store secrets there, it is secure, it is easy to change keys without redeploying my applications or fiddling with app settings or any kind of database configuration tables. I can set up my Azure KeyVault to trust my Web App by enabling Managed Identity on the Web App and adding the app to the Access Policy of the KeyVault, and as long as the app and the vault live in the same subscription I am good to go.

When developing on localhost and need to access secrets from the KeyVault you have an option of signing into your Visual Studio with the credentials that give you permission to read KeyVault secrets, right click on your project, navigate to Add menu option and select “Connected Service”

Another option is to use self-signed certificate to access the KeyVault from your dev machine. I choose this approach because I sign into Visual Studio with different credentials to the ones that I use to go to my Azure portal. In order to make it work I need to

  • Create a self-signed certificate with private and public keys
  • Install the certificate on dev machine
  • Create an App Registration with the self-signed certificate
  • Create Service Principle for the App Registration
  • Create an Azure KeyVault policy to give permissions to the Service Principle to read secrets

Let’s visualise how it is going to work:

I will be doing it all in PowerShell as I want to build my test environment and then replicate the same set up on live when it comes to moving it to production. This approach is also often referred to Infrastructure as Code.

In this post assume you already have self signed certificate installed on your machine.

Running the script above will create everything we need in Azure to start using Azure KeyVault in .Net Core Web App. In the next post I will show how to read secrets from the KeyVault using C#.

Leave a Reply

Your email address will not be published. Required fields are marked *