How to configure AWS S3 Credentials in Azure Website

Question

I have an asp.net core website hosted on azure.

I want to upload files in Amazon S3.

How can I configure AWS credentials in Azure Web App.

Answer 1

Azure Key Vault would be the best bet to store any sensitive/secret information like credentials, that your web application hosted in Azure will use.

Here is a sample with code as well as steps for setup that you can follow to do this from a .NET core web application. ( Sample documentation )

This sample also demonstrates another best practice to make use of Managed Service Identity for your web app in order to access the key vault. That will automatically take care of governance around key rotation and other concerns. Just in case your web app already has an Azure AD registered identity for some reason, you can use that as well to access the key vault.

Code is available here:

https://github.com/Azure-Samples/key-vault-dotnet-core-quickstart.git

Not to give you a link only sort of answer, here are only the high level steps. For details of course look at the github repo and documentation.

1. You create a Key Vault using Azure portal or with a command like

    az keyvault create --name "<YourKeyVaultName>" --resource-group "<YourResourceGroupName>" --location "East US" 

2. You create secrets in this vault for the user name and secret key that will be used to access AWS S3. Again portal or Azure CLI command.

    az keyvault secret set --vault-name "<YourKeyVaultName>" --name "AWS-ACCESS-KEY-ID" --value "MySecretValue1" az keyvault secret set --vault-name "<YourKeyVaultName>" --name "AWS-SECRET-KEY" --value "MySecretValue2" 

3. Enable managed identity for your web app

    az webapp identity assign --name "keyvaultdotnetcorequickstart" --resource-group "<YourResourceGroupName>" 

4. Assign permissions to read the secrets from Key Vault for your web app

    az keyvault set-policy --name '<YourKeyVaultName>' --object-id <PrincipalId> --secret-permissions get list 

5. Go through the Key vault related code in repo. Important part from Program.cs given below

    public static IWebHost BuildWebHost(string[] args) => WebHost.CreateDefaultBuilder(args) .ConfigureAppConfiguration((ctx, builder) => { var keyVaultEndpoint = GetKeyVaultEndpoint(); if (!string.IsNullOrEmpty(keyVaultEndpoint)) { var azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback( azureServiceTokenProvider.KeyVaultTokenCallback)); builder.AddAzureKeyVault( keyVaultEndpoint, keyVaultClient, new DefaultKeyVaultSecretManager()); } } ).UseStartup<Startup>() .Build(); private static string GetKeyVaultEndpoint() => "https://<YourKeyVaultName>.vault.azure.net"; 

Answer 2

Best practice would be to let your client application to upload directly to S3, not flowing through your own web infrastructure. This would leverage ether massive parallel nature of S3 and off-load your web infrastructure. Offloading your infrastructure will allow to use less instances or smaller instances to serve the same amount of traffic. Hence a lower infrastructure cost for you.

If your application is a web app, you can even let your customers' browsers upload directly to S3. See how to implement this securely at read this AWS Documentation

Hope this helps !