Azure Key Vault + Azure Managed Identity + Azure App Service

Why Not Secure Your Keys and Secrets? Asp Net Core with Azure Key Vault Integration

Sibeesh Venu
Nov 18 · 7 min read

Why not secure your keys and secrets in your application, if you can do it in a few minutes? If this question makes you think at least for a minute, then don’t think more, just do it.

Image for post
Image for post
Azure Managed identity

Here in this post, we will secure our connection string and use it in our application. Sounds good? Then, let’s start.

Prerequisites

  • Azure Key Vault
  • Azure App Service
  • Asp Net Core
  • C#

Please remember that you need a valid Azure subscription. If you are looking to secure your Azure Function app settings, read my post here.

Build an Asp Net Core Web App

Now, what is Managed Identities in Azure?

There are two types of Managed Identities.

  • System-assigned
  • User-assigned

The System-assigned managed identity is tied to the Azure resource where you add the identity, this means that when you deleted the resource the identity will also be deleted automatically. Only some Azure resources support this identity type.

In the User-assigned identity, we can create a managed identity as a standalone Azure resource, the advantage of doing so, is that we can assign this identity to any resources we need and it is not tied to any resources. Thus, deleting a resource will not delete the identity. The preceding image explains when you can use a managed identity.

Image for post
Image for post
azure managed identity

In our case, we need to get the secrets from our Key Vault and use the same in our Azure App service, thus I am going to use the System-assigned managed identity. I am sure, you know why.

Update the Appsetting

Now, let’s configure our app to use the values from the Azure Key Vault. Go to the “Program. cs” file and update the method CreateHostBuilder as follows.

As you can see that in the above code, we create an instance of “AzureServiceTokenProvider” without a connection string, and the provider will get an access token from the managed identity. Now let’s go to our Startup class and add the preceding code in the ConfigureServices method.

options.UseSqlServer(Configuration["DefaultConnection"],
action => action.MigrationsAssembly(typeof(TenantContext).Assembly.FullName)));

That’s all. Now if you run this application you will get an error saying that “Value can not be null”. Remember that we have not created the Azure resources.

Configure Azure App Service and Azure Key Vault

An application deployed Azure App Service is automatically registered with Azure AD when the service is created. Let’s go to the identity panel of the Azure App service that you had created and enable the System-assigned managed identity.

Image for post
Image for post
enable system-assigned managed identity

Please be noted that once you click on the save button, the app service will be registered with Azure Active Directory and it can be granted permission to access resources protected by Azure AD. Now, get the object id from the screen and make a note of the same, as we will be using this in a while.

Image for post
Image for post
get the object id from system-assigned managed identity

Now, go to the Azure Key Vault you have created and click on the “Access policies” from the left side pane, and click on the “+Add Access Policy”.

Image for post
Image for post
add key vault access policy

From the next screen, select the items as in the preceding image. Please be noted that you can choose the permissions that you want to set. In the “Select Principal” screen, search the item with the object id of our app service. Select the item and click save. This is how your screen may look like.

Image for post
Image for post
add a policy with app service object id

Click on the Add button. The policy will be added. Please do not forget to remember to click on the Save button from the next screen.

Image for post
Image for post
save policy key vault

Do not forget to restart the Azure App Service, this is important. Now go ahead and publish your Asp Net Core application to your Azure App service. You can also use the Visual Studio Publish option or use the Azure DevOps pipeline. If you choose the second option, read my detailed article about it here.

That’s it. Well done. We now have a running application in the Azure app service, that fetches the secrets from the Azure Key Vault and uses them. But, will it work with the development environment? No, that requires a few more setups.

Secret Storage for Development Environment

dotnet user-secrets init

This will produce the output below.

Image for post
Image for post
init secret storage

Now, if you check the content of your “.csproj” file, you will see that a new property is added to the property group with GUID as value.

<UserSecretsId>cbc82397-befe-4fce-885d-d355bf89ef45</UserSecretsId>

Right-click on your project and click on the Manage User Secrets, this will show a “secret.json” file and this is where we are going to add all of our secrets, shh don’t say this to anyone. This is the location where this file is located “C:\Users\SibeeshVenu\AppData\Roaming\Microsoft\UserSecrets”. We can edit our secret.json file with the connection string, this is how your file may look like.

{
"DefaultConnection": "yourconnectionstring"
}

Save the file, and run your application, it should work as it is. The secrets configuration source is automatically added to the development environment. Just look at the providers in the Configuration object now.

Image for post
Image for post
configuration provider for secrets

You can do many other things with this tool, I strongly recommend you to read this post to know more.

Conclusion

You can also read this post on my blog here.

About the Author

Your turn. What do you think?

Kindest Regards

Sibeesh Venu

The Startup

Medium's largest active publication, followed by +734K people. Follow to join our community.

Sibeesh Venu

Written by

An engineer by profession and writer by passion. Microsoft MVP, Author, Blogger. sibeeshpassion.com, youtube.com/sibeeshPassion, youtube.com/njanorumalayali

The Startup

Medium's largest active publication, followed by +734K people. Follow to join our community.

Sibeesh Venu

Written by

An engineer by profession and writer by passion. Microsoft MVP, Author, Blogger. sibeeshpassion.com, youtube.com/sibeeshPassion, youtube.com/njanorumalayali

The Startup

Medium's largest active publication, followed by +734K people. Follow to join our community.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store