Introduction:
Incorporating Azure Key Vault with ASP.NET Core web applications represents a pivotal development in the protection of sensitive information and configuration details. As the landscape of cybersecurity threats continues to shift, the importance of securely managing application secrets, such as database connection strings, API keys, and certificates, has escalated. Azure Key Vault, offered by Microsoft Azure, delivers a secure and centralized solution for secret storage. This article is designed to navigate developers through the integration process of Azure Key Vault into an ASP.NET Core web application. We will delve into the advantages of leveraging Azure Key Vault, outline the necessary prerequisites for its integration, and offer a detailed guide to effectively embed this robust security mechanism into your ASP.NET Core initiatives, safeguarding your application’s secrets from unauthorized access and breaches.
Other than integration with Azure key vault in ASP.NET Core application, this article will give you more idea about handling identity and access of a service principal created with Microsoft Entra ID for Azure key vault with RBAC approach.
Create an ASP.NET Core web application
Create ASP.NET Core MVC web application using Visual Studio or dot-net CLI. Please refer below document and create an ASP.NET Core MVC application with .NET 8.
Get started with ASP.NET Core MVC | Microsoft Learn
Register an application in Microsoft Entra ID
To get a secret from Azure Key Vault, we need to register the application in Microsoft Entra ID to authenticate the client through the service principal. Service principal can be done in 2 ways.
- Using ClientId and secret
- Using ClientId and Certificate
Register your application in Microsoft Entra ID and collect all client information, like Client ID and Client Secret
Please refer to the below document and complete the application registration process in Microsoft Entra ID.
After the registration from the overview page, you will get client and tenant ID information.
From the Manage blade click on the Certificates & secrets option and create a new secret.
Create Azure Key Vault
Log in as a portal admin and create an Azure key vault. Quick start with creating an Azure key vault from the Azure portal using the below document.
Quickstart – Create an Azure Key Vault with the Azure portal | Microsoft Learn
After creating an Azure key vault, navigate to access configuration under the settings blade. Make sure the Permission mode is set to “Azure role-based access control”, this is a recommended model to access the Azure key vault.
Add Azure Key Vault library in the application
Now, it’s time to get the secret from the Azure key vault through our ASP.NET Core web application.
There are two ways where you can manage the access of Azure Key Vault resources from the ASP.NET Core Web application based on its deployment model.
- On-Prem deployment/Dev Environment
- Cloud deployment
Dev Environment
Here I’m going to explain how to access the Azure Key Vault from the dev environment, the same process is also applicable when you planning to deploy the application On-Prem
Save your ClientID, ClientSecret, and tenant ID as an environmental variable.
Define your Key Vault Endpoint in the appsettings.json file.
Install the following NuGet Packages
Azure.Identity
Azure.Extensions.AspNetCore.Configuration.SecretsAdd below two lines of code in the Program.cs file.
Uri kvUri = new(builder.Configuration["AzureEndPoints:keyVaultName"]);
builder.Configuration.AddAzureKeyVault(kvUri, new DefaultAzureCredential());KvUri variable will get the KeyVault Endpoint from the appsettings.json file.
appsetings.json
"AzureEndPoints": {
"keyVaultName": "https://[key vault name].vault.azure.net"
},If you want to integrate the Azure Key Vault, then you need to authenticate with Microsoft Entra ID first.
Here we already created a service principal to authenticate the application and to access the key vault for the dev environment.
Note: It’s always recommended to use Azure Managed Identity, also called Azure Managed Service Identity whenever you deploy the application in Azure, where we can skip the hurdle(s) of creating a service principal to authenticate the application.
.NET Core has built-in support for Azure Key Vault with the package Azure.Extensions.AspNetCore.Configuration.Secrets and allow you to use it as a configuration provider.
DefaultAzureCredential if from Azure. The identity library is used to authenticate clients.
Learn more about its behavior here
By default, it uses Environment from there it checks for Workload Identity, Managed Identity, and so on
Here for our development, we configure all our client credentials in the environment, so by default, the DefaultAzureCredential will use the environment to authenticate the application. Since, we are in dev environment use launchSettings.json file to configure the client credentials.
launchSettings.json
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development",
"AZURE_TENANT_ID": "[your tenant id]",
"AZURE_CLIENT_ID": "[your app client id]",
"AZURE_CLIENT_SECRET": "[you app client secret]"
}Add Role Assignment
Log in to the Azure portal and locate your Azure Key vault.
Select Access Control (IAM), click on Add-> Add role assignment, and select the role Key Vault Secrets User to, this is the least privileged role that allows applications to retrieve the secrets from Azure Key Vault. It doesn’t grant write access to the secret.
Under the members tab, select the service principal (Entra ID application), In my case, it is Azure-keyVault-App skip the conditions steps and hit on Review + assign.
Add some secrets manually using the Azure portal, and make sure you have at least a “Key Vault Secrets Officer” to perform any action on the secrets.
In my case, I manually added a secret called “TestSecret”, and I’m trying to access the value of this secret from the ASP.NET Core application.
Get the secret from Azure Key Vault
Let’s jump into our ASP.NET Core web application, go to your HomeController inject the IConfiguration in the constructor, and access it in your action. The updated Home constructor and Index action are given below,
private readonly IConfiguration _configuration ;
public HomeController(ILogger<HomeController> logger,IConfiguration configuration)
{
_logger = logger;
_configuration=configuration;
}
public IActionResult Index()
{
ViewData["keyvaultvalue"] = _configuration["TestSecret"];
return View();
}<label>Azure KeyValut value: @ViewData["keyvaultvalue"]</label> Now, run your application and in the Home Index view, the secret value will be rendered.
Summary
We have seen how to integrate the Azure Key Vault with the ASP.NET Core application, and more on the Identity and access area, where we covered how to authenticate the application with Microsoft Entra ID to access the Azure Key Vault from the dev environment using the client credentials and proper role assignments.
