Using Key Vault to Securely Store All Configuration — Including Secrets for Azure Functions V2 and Web API
Written By: Chris Langston
Standardize on a Strategy for Storing Your Configuration for Azure Applications and Services
When using .NET Core 2.0 or higher to build Web APIs or V2 Azure Functions, you often need to connect to Azure services such as Cosmos NoSQL DBs, SQL Server Relational Databases, Azure Storage Accounts, Enterprise Service Bus, etc. — all of which usually require some type of connection string or authorization key.
Where should you store these configurations so they are secure?
Use Azure Key Vault to securely store all Configuration for Azure Functions V2 and Web API, not only secrets.
The .NET Core and Azure teams have created seamless ways to accomplish this using .NET Core SDK and Azure Key Vault.
To make this all come together for .NET Core applications, a well thought-out and cleanly crafted Configuration concept was created for .NET Core.
The Options pattern created by the team extends the configuration concept, which uses classes to represent groups of related settings. Following the IOptions<T> style of configuration, you can create classes that represent how you want to represent your configuration.
Use the following as an example when setting up Configuration to a Cosmos NoSQL Database:
The only Property from this class that absolutely should be securely stored is the “AuthorizationKey.” We should use “Key Vault” to store this value.
Where Do You Store Your Other Configuration?
Now you have to ask yourself, should I store the remainder of the properties in the AppSettings for the WebAPI or Azure Function?
I recommend — that as a standard practice — you go ahead and put “all” your settings in Azure Key Vault. This way you don’t have to always be asking yourself, “Is this in the AppSettings or in Key Vault.”
This will also simplify your eventual DevOps deployment strategy, knowing you put all your configurations in one place.
In a follow-up article, I’ll show how you can configure Azure Functions V2 to use Key Vault leveraging Dependency Injection to pull your configuration.
This will be setup in such as way that when developing locally you can pull the settings from an “appsettings.{Development}.json” file. Later, when you deploy your Azure Function or your Web API App Service to Azure, you will pull the settings from Key Vault.
To read an article I wrote on Using Dependency Injection for Azure Function V2, please check visit this link:
