Home > Software design >  What is the point of Azure App Config KeyVault references?
What is the point of Azure App Config KeyVault references?

Time:09-29

In Azure you can setup an App Config and a KeyVault. The point of the KeyVault being to store more sensitive data than your App Config and be able to regulate access to the config and vault separately.

So what is the benefit of using a keyvault reference in the app config?

You are basically allowing anyone with access to the app config to access certain values in your keyvault and are bypassing the additional layer of security the vault normally provides.
The additional layer being required auth to the vault to access those same values if they aren't referenced in the config.

I really don't understand what benefit keyvault references give you.

CodePudding user response:

This blog article by Jan de Vries explains them in more detail: https://jan-v.nl/post/2021/using-key-vault-with-azure-app-configuration/.

The relevant part for your question:

As it happens, the code for accessing App Configuration doesn’t give your application permission to retrieve secrets from Key Vault.

The application retrieves them from Key Vault, not from App Configuration. App Config only holds the reference, not the actual value.

Official docs also mention this:

Your application uses the App Configuration client provider to retrieve Key Vault references, just as it does for any other keys stored in App Configuration. In this case, the values stored in App Configuration are URIs that reference the values in the Key Vault. They are not Key Vault values or credentials. Because the client provider recognizes the keys as Key Vault references, it uses Key Vault to retrieve their values.

Your application is responsible for authenticating properly to both App Configuration and Key Vault. The two services don't communicate directly.

CodePudding user response:

I suppose there are different approaches to using the KeyVault, but the way I tend to use it is as follows.

My application will have a set of secrets, which I store locally using the Secrets Manager, you would add the secret for your application:

dotnet user-secrets set "Movies:ServiceApiKey" "12345"

Your application can then read this setting using _moviesApiKey = Configuration["Movies:ServiceApiKey"]; as you'll see in the link above. Obviously, there's no way you can see this value in the code, but your application can read it from the Secrets Manager.

If you do forget the values, you can use the following command to retrieve them:

dotnet user-secrets list

KeyVault will work as your Secrets Manager within Azure. So, your application will need to have permission to access the KeyVault, and in my case I store the Vault name in the appsettings.json, and during the bootstrapping, I include the KeyVault configuration if running in Production mode i.e. on the Azure Server and not locally.

public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
      WebHost.CreateDefaultBuilder(args)
        .ConfigureLogging(logging =>
        {
          logging.ClearProviders();
          logging.AddConsole();
          logging.AddAzureWebAppDiagnostics();
        })
        .ConfigureAppConfiguration((context, config) =>
        {
          if (context.HostingEnvironment.IsProduction())
          {
            IConfigurationRoot builtConfig = config.Build();
            ConfigurationBuilder keyVaultConfigBuilder = new ConfigurationBuilder();
            keyVaultConfigBuilder.AddAzureKeyVault(builtConfig["VaultName"]);
            IConfigurationRoot keyVaultConfig = keyVaultConfigBuilder.Build();
            config.AddConfiguration(keyVaultConfig);
          }

        })
        .UseStartup<Startup>();

Note, the check for context.HostingEnvironment.IsProduction(). Within the appsettings, I have:

"VaultName": "https://yourkvname.vault.azure.net/"

So, the only reference I have to the KeyVault from the application is the name, and that should be secure as only the application will have access to the keys/secrets.

One thing to note, you need to make sure that the names match both for your local secrets and the ones in the KeyVault. In my case, I am running on a Windows platform, so I needed to make a small change to the names using double dashes (--) in place of the colon (:), so...

Movies:ServiceApiKey

Becomes

Movies--ServiceApiKey

  • Related