Secure sensitive data in .NET 6.
As a developer, we always face the challenge of handling sensitive configuration data in our code such as connection strings, application secrets, certificates, etc. Best practices recommend not storing such data in our source code, we must find a way to protect these secrets and use them whenever it is required.
Azure provides a Key Vault service to store such secrets in a highly secure manner. Key Vault provides a vault store for our secrets so that sensitive data need not be hard coded in our code base.
In this article, we will demonstrate how to secure and retrieve connection strings with the help of Key Vault used by Web API both in the Development and Production Environment. Similar steps can be used to secure other sensitive data.
In this article we will use the following:
· Visual Studio 2022
· .NET Core Web API
· Azure Key Vault
· User Secrets
· Azure Windows Web App
If you want to follow along, you will need access to an active Azure subscription.
Step 1: Create an Azure Key Vault on Azure
How to create Azure Key Vault is beyond the scope of this article. We assume, you already have an active Azure subscription and Key Vault in place.
If you need the steps to create a Key Vault, follow the link — Creating Key Vault.
Step 2: Enable Managed Identities for Azure Web App
We assume that you have an existing Azure Web App. Enable Identity as illustrated below, so that the web app will have access to Azure Key Vault.
Please make a note of the Object ID for the Azure Web App, it will be used later to assign permissions on the Azure key vault.
Step 3: Grant permission to the Azure Key Vault
The next step is to configure an access policy for the managed identity in Azure Key Vault. This can be achieved by going to the Azure Key Vault resource and under the Access Policies tab, clicking on the option Add Access Policy.
Step 4: Create a secret in Azure Key Vault
Click on Secrets under Settings. In the following image, we have created a secret with the name “amoa-db-connectionstring” and set the value with the actual connection string.
Now, we are ready to access secrets from our application.
Step 5: NuGet Packages
After creating a Standard Asp. Net Core web API targeting .NET 6, you will need to install the following packages to work with Azure Key Vault:
· Azure.Identity
· Azure.Security.KeyVault.Secrets
· Microsoft.Extensions.Configuration.AzureKeyVault
Step 6: Secure data in different environments
Now let us see, how to access the secrets in different environments.
Development:
App registration is required to access the key vault on azure from the development environment
Complete the App registration following the steps in the link and note the Client Id and Client Secret values.
Create a secret.json file for the API / Web app project as below,
Right-click on the project and choose the Manage User Secrets option as shown below:
Add below Key Values corresponding to Key Vault in secret.json which is required to retrieve values from the Key Vault.
kvUrl : Key Vault URL
tenantId : Subscription Tenant Id
clientId: Id received it post your app registration is completed.
ClientSecret: use the secret which is created in the app registration.
Make use of SecretClient to read the secret values from Key Vault.
The connection string “amoa-db-connectionstring” present in Key Vault will be added to the configuration.
With the above changes, there is no need to store the connection string in appSettings.Json file.
Production:
For the Production environment, make use of the Key Vault Reference utility to read the value from the Key Vault.
Create a Key in the configuration of the app service, as shown below:
Refer to the Key Vault as shown below:
@Microsoft.KeyVault(SecretUri=<Secret Identifier>)
The key in the configuration looks like the following:
By abiding by the above-mentioned ways of storing sensitive data we protect it from being exposed and misused. Hope you find the content of this article helpful.
About the Author:
Praveen Desai is a .Net Developer here at Version 1.
