Use secrets from Azure Key Vault in your App Service without any code change
Dimitar Iliev ??
Azure AI Solutions Architect ● B. Sc. Computer Science and Engineering ● 7 x Microsoft Certified ● 23 x Microsoft Applied Skills ● Speaker ● Generative AI ● Scrum Master Certified ● 1 x GitHub Certified
What is Azure Key Vault??
According to the official MS Docs (What is Azure Key Vault? | Microsoft Docs) Azure Key Vault is a cloud service for securely storing and accessing secrets.?
Some of the benefits of using key vault are:?
and many more.?
What is Azure App Service??
According to the official MS Docs (Overview - Azure App Service | Microsoft Docs) Azure App Service?is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends.? ?
Applications can be developed in any language you like (C#, Java, PHP and others.).?
What is Key Vault Reference??
According to the official MS Docs (Use Key Vault references - Azure App Service | Microsoft Docs), Key Vault Reference helps you use secrets in your application without requiring any code changes. ??
All of this sounds interesting, doesn’t it? Let’s see how we can use it?in our example below.
Project Structure?
Creating our application?
For this example, we will create a basic ASP.NET Core Web App and use the default template it provides.?
After we created our app, let’s go ahead and add an entry in our appsettings.json file.
{
? "Logging": {
? ? "LogLevel": {
? ? ? "Default": "Information",
? ? ? "Microsoft.AspNetCore": "Warning"
? ? }
? },
? "AllowedHosts": "*",
? "FromMessage":? "from appsettings.json file"
}
Let’s use this value in one of our pages. Navigate to the Index.cshtml and add the following code:
@page
@model IndexModel
@{
? ? ViewData["Title"] = "Home page";
}
@using Microsoft.Extensions.Configuration
@inject IConfiguration Configuration
<div class="text-center">
? ? <h1 class="display-4">Welcome @Configuration["FromMessage"]</h1>
? ? <p>Learn about <a >building Web apps with ASP.NET Core</a>.</p>
</div>
Now run our app and observe the results.
Perfect. Everything is working as expected. We managed to start the app and show our secret from the appsettings.json file. ?
Now let’s go and create an App Service, to which we will publish our app.?
Creating the App Service?
Go to the Azure portal and then navigate to Marketplace. Select the ‘Web App’ and click ‘Create’.
Fill in the details similar to below:
On the ‘Monitoring’ tab, disable App Insights, since we won’t use it in this demo.
Next, review the information and if everything is fine, click on ‘Review + create’.?
Wait for the deployment to complete.?
Perfect. We have successfully created our App Service.?
Next, let’s publish our application by using the Publish Profile (click on the ‘Get publish profile’)?from the Azure portal. After the publishing is successful, we can open our?app in the browser.
Navigate to our app and open it in a new tab. We should see the following result:?
As we can see it is still using our value which we previously added in our appsettings.json file. That is because we haven’t set anything in the ‘Configuration’ of our app yet, and we did not replace the secrets during deployment.?
Let’s now go to the ‘Configuration’ tab and add our new secret.?
Click on ‘+ New application setting’.?
Add the following values:
Save the changes.
Now, let’s refresh the tab where we have our app open, and we should see the following results:
Perfect. Now we made use of the ‘Configuration’ in our App Service.??
Unexpectedly, we get a new requirement which states?that all the secrets are stored in Azure Key Vault and we need to change our app to use them from there. But we don’t want to make any code changes to our app. So, we decide to use Key Vault Reference.
领英推荐
Creating the Key Vault?
Let’s start by creating a key vault in which we will store our secret.
Go to the Azure portal and search ‘Key Vaults’.
Click on the ‘+ Create’ button.
Fill in the details similar to below:
Review the information and if everything is fine, click on ‘Review + create’.?
Wait for the deployment to be successful.?
Now, before we add a secret and reference it in our app service configuration, let’s go back to our App Service, click on ‘Identity’ and add a system assigned managed identity (Status = ON).
For more information on managed identities, I recommend you read the official MS Docs (Managed identities for Azure resources - Microsoft Entra | Microsoft Docs).
Great, now let’s go back to our key vault and add a secret. Navigate to our key vault resource and click on ‘Secrets’.?
Click on the ‘+ Generate/Import’ button.
Add the secret details as below. For Value add ‘from key vault’.?
To confirm everything is fine, let’s check our secret.
Perfect. We have our secret in place. Now before we reference this secret in our app service configuration, we need to add an access policy for our app.?
In key vault, go to the ‘Access policies’ and click on ‘+ Add Access Policy’.
Next, on the ‘Select principal’ filter and select our application. From the ‘Secret permissions’ select Get only.
You should see this before clicking on the ‘Add’ button.
Under 'Current Access Policies' we should be able to see our app as below:
Perfect. We are all set to reference this secret in our app service configuration.?
Referencing the Key Vault secret?
Navigate back to our app service and click on ‘Configuration’. Now click on edit icon to edit our value.
A?key vault reference has one of these formats:?
@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)?
or?
@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)?
On the ‘Add/Edit application setting’ tab enter the following information:
As you can see, in the value we specify the name of our key vault and the name of the secret. We are using method number two for the reference.?
Click on ‘OK’.
We can clearly see that our Source changed to Key vault Reference, which is just what we intended.?
Now refresh the tab where we had our app open and observe the final results:?
Perfect. We have successfully referenced our secret from key vault without doing any code changes to our app.
Thanks for sticking to the end of another article from?"Iliev Talks Tech". #ilievtalkstech
The full, more detailed implementation of this example can be found on my GitHub repository on the following link: