what is Azure key vault?
it is a feature in Azure where keys and their secrets can be stored. for more details refer https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app
instead of keeping all the secrets in config file, the secrets are stored in key vault which is more secure.
Pre-requisites
The pre-requisites have to be set right
1) The app needs permission to access Key Vault (in Azure AD --> App registrations)
2) The key vault needs to provide permission to the app. this can be done by selecting the specifc keyvault in the portal and selecting access policies and adding the application details (like id and secret)
how does my application access key vault?
mechanism to access the key vault
1) Use the clientID and Client secret from the app and access the key vault.
2) use managed service identity from the app service
use client id and client secret:
in this case, the client id and secret have to be in the config file. so, this is the recommended mechanism if client id and secret should not be stored in the config file. however, i have shared the code in the last portion of this blog article.
Managed service identity:
go to azure portal, select the app service which needs to access the key vault and select identities and enable managed identity.
enabling this ensure that whenever an application tries to access the key vault, the client id and client secret need not be explicitly passed and the identity is passed by the application.
use this code to access your key vault:
public async Task<string> GetKey(string key, string keyVaultUri)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = keyVaultClient.GetSecretAsync(keyVaultUri, key).Result;
return secret.Value;
}
caution:
The above piece of code when deployed in azure app service can access the key vault.
but the same code fails in the local development environment.
the reason for this is that on the local development environment, the managed identity is not set.
run azure CLI (2.0.12 or above) and type in az login.
in the login, enter the credentials which has access to the azure subscription where the app service and key vault are present.
CLI shows a message "you have successfully logged in. let us see all the subscriptions to which you have access"
and then it shows up your subscription.
now run the key vault access code on your local environment, you will be able to access the key vault.
code using client id and secret
private static async Task<string> GetSecretAsync(string vaultUrl, string vaultKey)
{
var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient());
var secret = await client.GetSecretAsync(vaultUrl, vaultKey).ConfigureAwait(false);
return secret.Value;
}
private static async Task<string> GetAccessTokenAsync(string authority, string resource, string scope)
{
//DEMO ONLY
//Storing ApplicationId and Key in code / config file is bad idea :)
var appCredentials = new ClientCredential("<client id GUID>", "<client secret>");
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var result = await context.AcquireTokenAsync(resource, appCredentials).ConfigureAwait(false);
return result.AccessToken;
}
No comments:
Post a Comment