We have stored connectionstring values in Azure Key Vault. I have read two ways to get the secret value from my .net core application. One is to load all secrets in ConfigurationManager using the following code:
var keyVaultUrl = builder.Configuration["KeyVaultUrl"];
builder.Host.ConfigureAppConfiguration(builder =>
{
builder.AddAzureKeyVault(new Uri(keyVaultUrl), new DefaultAzureCredential());
});
Other way is to use following code and get the secret value:
string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
var kvUri = "https://" keyVaultName ".vault.azure.net";
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
var secret = await client.GetSecretAsync(secretName);
Save these values once in static class and use throughtout the application whenever required.
Which option suits better in what situation.
Also provide some inputs on Reloading the secret value if it changes.
I only have couple of secrets in my aaplication
CodePudding user response:
Although both scenarios enable reusing the way of getting values, I do have a personal preference: use the first option.
The big plus for this approach is that the values are retrievable through IConfiguration
. This means that throughout the rest of the application, developers don't even have to know where values come from. They can get settings from IConfiguration
, no matter the origin of the setting. With your second approach, the code to get a value from Key Vault is still reusable but developers need to know where to get values from.
As far as reloading goes: have a look at passing in an instance of AzureKeyVaultConfigurationOptions
. This has a ReloadInterval
property, which is a ...
TimeSpan
to wait between attempts at polling the key vault for changes. The default value isnull
(configuration isn't reloaded).
Source: Azure Key Vault configuration provider in ASP.NET Core - Configuration options
An even richer solution would be to combine App Configuration and Key Vault to enable you to Reload secrets and certificates from Key Vault automatically.
App Configuration and Key Vault are complementary services used side by side in many applications. App Configuration helps you use the services together by creating keys in your App Configuration store that reference secrets or certificates stored in Key Vault. Since Key Vault stores the public and private key pair of a certificate as a secret, your application can retrieve any certificate as a secret from Key Vault.
As a good security practice, secrets and certificates should be rotated periodically. Once they have been rotated in Key Vault, you would want your application to pick up the latest secret and certificate values. There are two ways to achieve this without restarting your application:
- Update a sentinel key-value to trigger the refresh of your entire configuration, thereby reloading all Key Vault secrets and certificates. For more information, see how to use dynamic configuration in an ASP.NET Core app.
- Periodically reload some or all secrets and certificates from Key Vault.