stackoom
  简体   繁体   中英

Using KeyVault secrets to override appsettings in Azure App Service and locally

 原文  2021-07-02 10:57:50       c#/ azure/ config/ azure-keyvault/ appsettings

Question

Attempting to retrieve secrets from KeyVault in a C# App Service.

Local machine:

  • Visual Studio > Tools > Options > Azure Service Authentication - authenticated Azure account

  • Likely use az login in the shell that you dotnet run if on vs code etc. Not Checked.

Azure

  • App service blade:
    • Set App Service identity to System Assigned
  • Keyvault blade:
    • Created KeyVault
    • Created Secret: Name = "Foo"
    • Given myself manage secrets access policy
    • Given App Service identity Get and List secret access policy

appsettings.json 

...
"KeyVaultName" : "abc123",
"Secrets": {
    "One" : "@Microsoft.KeyVault(Secreturi=[uri to secret copied from Azure blade])"
}
...

Program.cs

...
using Azure.Extensions.AspNetCore.Configuration.Secrets;
using Azure.Identity;
...
public static IHostBuilder CreateHostBuilder(string[] args)
    {
        return Host.CreateDefaultBuilder(args)
            .ConfigureAppConfiguration((context, config) =>
            {
                var builtConfig = config.Build();
                var secretClient = new SecretClient(
                    new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
                    new DefaultAzureCredential());
                config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
            })
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
            });
    }

Result

I am just getting the @Microsoft ... value which I had expected to be mapped to the value from the keyvault.

Something seems off as I have to define the name of the keyvault twice, once in the SecretClient and once in the @Microsoft.KeyVault reference.

1 answers

solution1
 0  2021-07-02 10:57:50

It seems I was mixing two methods of getting secrets from the KeyVault.

Configuration Provider

What I added in Program.cs was a configuration provider that maps secrets into the configuration collection. Putting a breakpoint in Startup.cs and inspecting the value in the configuration collection validated this.

What I should have done is named the secret Secret--One which will map and override the local config value { "Secret: { "One" : "..." } } . Cannot use : or __ used in Environment Variable config mapping as those characters are not supported in secret names.

Feel I am still missing something here so please update in comments or another answer.

KeyVault Reference

If, on the other hand, you want to override config values using Environment Variables set on the Azure Application Settings (App Service Configuration) blade, then you can use KeyVault References.

The issue with this is that you still need another method to ensure you don't keep secrets locally and risk committing them to source control.

References

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Retrieving secrets from KeyVault defined in appsettings Assign App Service - Identity to KeyVault in Azure using Pulumi Debug azure app service locally? Override appsettings.json on Azure using ASPNETCORE_ENVIRONMENT Azure - authenticating to KeyVault using Service Principle returns an Unauthorized exception Accessing Azure KeyVault secrets only with a certificate installed on the machine .net 5, secrets.json, appsettings.json and Azure Application Settings Override an array in azure app service application settings Get RSA256 private and public key using azure keyvault service Azure webjobs does not override appsettings.json with Azure Application Settings
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM