Home > front end >  What is better was to load Azure Key Vault Secrets in .Net Core?
What is better was to load Azure Key Vault Secrets in .Net Core?

Time:05-06

We have stored connectionstring values in Azure Key Vault. I have read two ways to get the secret value from my .net core application. One is to load all secrets in ConfigurationManager using the following code:

var keyVaultUrl = builder.Configuration["KeyVaultUrl"];
builder.Host.ConfigureAppConfiguration(builder =>
{
    builder.AddAzureKeyVault(new Uri(keyVaultUrl), new DefaultAzureCredential());
});

Other way is to use following code and get the secret value:

string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
var kvUri = "https://"   keyVaultName   ".vault.azure.net";

var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
var secret = await client.GetSecretAsync(secretName);

Save these values once in static class and use throughtout the application whenever required.

Which option suits better in what situation.

Also provide some inputs on Reloading the secret value if it changes.

I only have couple of secrets in my aaplication

CodePudding user response:

Although both scenarios enable reusing the way of getting values, I do have a personal preference: use the first option.

The big plus for this approach is that the values are retrievable through IConfiguration. This means that throughout the rest of the application, developers don't even have to know where values come from. They can get settings from IConfiguration, no matter the origin of the setting. With your second approach, the code to get a value from Key Vault is still reusable but developers need to know where to get values from.

As far as reloading goes: have a look at passing in an instance of AzureKeyVaultConfigurationOptions. This has a ReloadInterval property, which is a ...

TimeSpan to wait between attempts at polling the key vault for changes. The default value is null (configuration isn't reloaded).

Source: Azure Key Vault configuration provider in ASP.NET Core - Configuration options

An even richer solution would be to combine App Configuration and Key Vault to enable you to Reload secrets and certificates from Key Vault automatically.

App Configuration and Key Vault are complementary services used side by side in many applications. App Configuration helps you use the services together by creating keys in your App Configuration store that reference secrets or certificates stored in Key Vault. Since Key Vault stores the public and private key pair of a certificate as a secret, your application can retrieve any certificate as a secret from Key Vault.

As a good security practice, secrets and certificates should be rotated periodically. Once they have been rotated in Key Vault, you would want your application to pick up the latest secret and certificate values. There are two ways to achieve this without restarting your application:

  • Update a sentinel key-value to trigger the refresh of your entire configuration, thereby reloading all Key Vault secrets and certificates. For more information, see how to use dynamic configuration in an ASP.NET Core app.
  • Periodically reload some or all secrets and certificates from Key Vault.
  • Related