Azure Key Vault integration with .NET Web App using Managed Identity
In this article, I will explain securing the secrets, passwords, connection strings, etc., using the Azure key vault. and integrating the same Azure key vault in the .net web API application using managed identity to access the securely stored credentials in the Azure key vault. So let's begin with what an Azure key vault means and its need.
What is Azure key vault, and why would we need it?
Secrets are anything you want to control access to, like client secrets, API keys, passwords, certificates, or cryptographic keys. Nowadays (for various reasons) everyone wants to store secrets securely where any unauthorized entity can't access them. It becomes more challenging when we have to manage secrets in the cloud. That's where the 'Azure key vault' comes to the rescue. It is one of the most popular Azure offerings used to store secrets and credentials much more securely.
We should not store our secrets and credentials in the config file as everyone can access it, and it will also be exposed to the repo level. We should store those securely.
How to access it?
To perform any operations with the key vault or if you want to access it in your application, you need to be authenticated first. This can be achieved in three ways.
- Managed Identity
2. Using service principals and certificates.
3. Using service principal and secret.
In this article, we will see how we can connect the Azure key vault from a web app using Managed Identity, the latest, most popular, and easy way to access secrets from the key vault without writing a lot of code.
The prerequisites are:
- .NET 6 (I have used .NET 6, but you can use .NET core 5 or .NET core 3.1)
- Azure key vault created in Azure portal.
- Web app created in an Azure portal where we will deploy our code.
- Visual Studio 2022 (You can use 2019 also for earlier .NET core versions).
Access secrets from a web app using the managed identity
Managed identity is a concept in the Microsoft Azure cloud that eliminates the need for developers to manage credentials after deploying their applications. With managed identity, we can access different Azure services securely without storing credentials like connection strings or passwords.
There are two types of managed identities.
- System assigned — it is created as a part of Azure resources like Azure app service and virtual machine. When we delete the resource, related managed identity is also deleted, which means it shares a life cycle.
- User-assigned managed identity — created as a stand-alone Azure resource that does not share a life cycle and has to be explicitly deleted.
We will use a system-assigned managed identity for this article/implementation. Let's begin by creating a web app to host our web API created with .NET 6.
Create a Web app in the Azure portal
- Navigate to the Azure portal's home page and click Create Resource from the left menu.
2. From the list, select Web app
3. As shown in the below screen, provide the details.
- Subscription
- resource group
- name — the name of the web app, which should be unique
- publish — select 'Code' as we will publish our code on the web app.
- Runtime stack — .NET 6 LTS
- Operating system — Windows
- Region — Central US (you can provide others if you want).
Like this, provide the details.
Enable Azure Managed Identity
Now we have created a web app in Azure, let's enable managed identity for that web app.
As above screen,
- Go to the created web app and navigate to the Identity section from the left menu under the settings option. You will see System assigned and a user assigned, Select the system assigned and toggle that status button to 'On'.
- Once you enable the managed identity, you will see the Object ID created on the above screen; copy that, as we will need it for granting access to the key vault.
Create Azure key vault
Like the web app, When we click the Create resource button, we will see the Key Vault option below.
Create the key vault by providing the details.
Once you create a key vault, you will get one key vault URI which will be used to integrate the key vault into the web app.
We have created a web app and its managed identity, Azure key vault. The Next step is to grant access to the Azure key vault to the web app created above using the access policy.
Grant access to the secret
From the left menu of the Key Vault page, select Access Policies, and then click Create, as shown in the following picture:
- From the 'Configure from template' dropdown, select The 'Key, Secret & Certificate management' option.
- Then select Get and List as shown above. This will allow us to list and read the secret values stored in the Azure Key Vault instance.
- Click Next, and you will see the 'principal' tab; in the search box, provide the object ID of created managed identity of a web app. Once you enter the object ID, the web app name will get displayed; select that as shown below.
Click Next, Next, and finally, Create. It will create an access policy for the key vault, which tells us that the web app can now access the key vault secrets using the managed identity.
Adding an access policy means we are giving access to the key vault to a particular service. We can add a policy for an individual user, group of users, Azure ad application, etc.
Now, we have created all necessary services, web applications, the managed identity of a web application, Azure key vault, and access policies for the key vault. Now let's try to write code and access the secrets in our application.
NOTE: Since we are using managed identity to access the key vault, we will be able to access the vault secrets after we deploy our code to the Azure app service. On local, we cannot access it using the managed identity. So with this approach, if you want to access secrets locally, I suggest using user secrets which will allow you to access secrets on a local host. We will also see how we can use user secrets locally.
Code setup
Create web API project using .NET 6.
We need to install the following NuGet packages for the web API application to work with Azure key vault:
- azure.extensions.aspnetcore.configuration.secrets
- Azure.Identity
Place key vault URI in the config file:
Configure the key vault in Program.cs file:
I have used the IsLocal key as true because we are using managed identity, and it cannot be configured locally, so without a local check, it will throw an exception. In the real world, We will have other JSON files that can be used on the server and one that can be used locally only.
For this blog, we will change the flag to false when we want to deploy our code since we only use one file. Now, we have all configurations to access the key vault's secrets.
Let's create one secret in the key vault. Now, we have one secret created in the Azure key vault with the name.
Above secret is created in the Azure portal. But on local, we will not be able to access it using managed identity, so that we will use user secret for local use. Let's create a secret with the same name but with a different value in the user secret.
To use the user secret, Right click on the project name and select Manage user secret; it will open the secrets.json file, and then create the secret in that file as shown below:
Now, we have already configured the key vault in Program.cs file using vault URI.
Let's create one controller and try to access the secret using Configuration.
Here, we have created KeyVaultController and one action method and trying to access the AppSecret. Let's run it and invoke the action method using Postman. Since it is local, it should return a value from secrets.json: "This is stored in local".
Now, Let's deploy our code to the app service web app and see what it returns.
Please note that we must change the IsLocal flag to false before deployment so the server will consider configuring the key vault.
After deploying our code, Let's consume the API endpoint from Postman and see what it returns.
We can see that our endpoint is fetching and returning the value from the key vault for key 'AppSecret'.
Now, let's see what if we have a model and want to store it in the key vault and access it from a web app.
NOTE: on local, use the IsLocal` value as true, and before deploying the code, please change it to false.
Let's create a model in the secrets.json file as below.
We have created a model AppModel with properties Child1 and Child2, Let's try to access those locally.
We have created one action method with route "api/keyvault/appmodel"
Let's invoke the local endpoint with the Postman and see what it returns.
We can see that it is returning the values from the secret.json file locally.
Let's create the same secret on the Azure key vault with the same name but different values.
Since we have a model with properties here, to create such secrets in the key vault, we have to use the model name and property name with a double hyphen (double dash), as shown below.
We have created two secrets as per our needs.
Let's deploy our code and invoke the API endpoint using Postman and see what it returns:
We can see that the deployed endpoint returns the secret values from the key vault.
Conclusion
We have successfully created a web app to host web API and a key vault to store our secrets and credentials. We successfully integrated the Azure key vault in our web API using the managed identity.
Thanks for your time; I hope you enjoyed this article and understood all the steps.
Happy Learning!
