Azure Key vaults

what is Azure key vault?

    it is a feature in Azure where keys and their secrets can be stored. for more details refer https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app

instead of keeping all the secrets in config file, the secrets are stored in key vault which is more secure.

Pre-requisites

The pre-requisites have to be set right

1) The app needs permission to access Key Vault (in Azure AD --> App registrations)

2) The key vault needs to provide permission to the app. this can be done by selecting the specifc keyvault in the portal and selecting access policies and adding the application details (like id and secret)

how does my application access key vault?

mechanism to access the key vault

1) Use the clientID and Client secret from the app and access the key vault.

2) use managed service identity from the app service

use client id and client secret:

in this case, the client id and secret have to be in the config file. so, this is the recommended mechanism if client id and secret should not be stored in the config file. however, i have shared the code in the last portion of this blog article.

Managed service identity:

go to azure portal, select the app service which needs to access the key vault and select identities and enable managed identity.

enabling this ensure that whenever an application tries to access the key vault, the client id and client secret need not be explicitly passed and the identity is passed by the application.

use this code to access your key vault:

public async Task<string> GetKey(string key, string keyVaultUri)

{

var azureServiceTokenProvider = new AzureServiceTokenProvider();

KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

var secret = keyVaultClient.GetSecretAsync(keyVaultUri, key).Result;

return secret.Value;

}

caution:

The above piece of code when deployed in azure app service can access the key vault.

but the same code fails in the local development environment.

the reason for this is that on the local development environment, the managed identity is not set.

run azure CLI (2.0.12 or above) and type in az login.

in the login, enter the credentials which has access to the azure subscription where the app service and key vault are present.

 CLI shows a message "you have successfully logged in. let us see all the subscriptions to which you have access"

and then it shows up your subscription.

now run the key vault access code on your local environment, you will be able to access the key vault.

code using client id and secret

private static async Task<string> GetSecretAsync(string vaultUrl, string vaultKey)
{
      var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient());
      var secret = await client.GetSecretAsync(vaultUrl, vaultKey).ConfigureAwait(false);
      return secret.Value;
}

 private static async Task<string> GetAccessTokenAsync(string authority, string resource, string scope)
{
            //DEMO ONLY
            //Storing ApplicationId and Key in code / config file is bad idea :)
            var appCredentials = new ClientCredential("<client id GUID>", "<client secret>");
            var context = new AuthenticationContext(authority, TokenCache.DefaultShared);

            var result = await context.AcquireTokenAsync(resource, appCredentials).ConfigureAwait(false);

            return result.AccessToken;
 }

CI CD using Azure Devops

Setting up builds (CI)

To set up a build in Azure devops:

1)    Go to pipelinesà builds

2)    Click on new à new build pipeline

3)    Using the built-in pipelines:

a.     Select the repository type (in EY, it is usually azure repos)

b.     Select the repository

c.     In configure tab, select the pipeline task (.net core, asp.net etc etc)

4)    If you want to configure a custom pipeline:

a.     Select “use the Visual Designer”

b.     Select the repository, source and branch (selecting master branch for builds is the recommended approach)

c.     Click on continue

d.     Pre-existing templates will be displayed. You can select any of these templates (as needed) or select an empty job.

5)    To add individual tasks / activities:

a.     Go to the build pipeline and click on the “+” icon

b.     List of tasks will be displayed.

c.     Add suitable tasks. Usually for .net projects the tasks will be restore, build, test and publish.

d.     “publish artifact” creates zip files with binaries for each project. (this will be useful for deployment as well)

e.     Click on “save and queue”, the build will start. After completion of the build, an email is sent.

f.      To view the build artifacts click on view results in the email.

g.     In the page that is displayed, select artifacts

h.     Given below is a snapshot of asp.net core app.

i.      In the agent job, select “hosted VS 2017” if using VS 2017

 Setting up Release (CD) to deploy to azure app service

To set up a release

1)      Click on pipelines à releases à new release pipeline

2)      In the templates select “azure app service deployment”

3)      A new stage is created. The release pipeline can be split into multiple stages.

4)      In the artifacts, click on add an artifact,

5)      Select source type as build, select the project and also the build pipeline

6)      Click on 1 job,1 task link

7)      Select azure subscription and app service name

8)      In the deploy azure App service task, enter the package or folder details (the zip file from the build artifacts)

9)      Go to application settings and configuration settings to add any app settings

10)  Save and click on release.

11)  The application is deployed to the azure app service.