Attempting to retrieve secrets from KeyVault in a C# App Service.
Visual Studio > Tools > Options > Azure Service Authentication - authenticated Azure account
Likely use az login
in the shell that you dotnet run
if on vs code etc. Not Checked.
System Assigned
...
"KeyVaultName" : "abc123",
"Secrets": {
"One" : "@Microsoft.KeyVault(Secreturi=[uri to secret copied from Azure blade])"
}
...
...
using Azure.Extensions.AspNetCore.Configuration.Secrets;
using Azure.Identity;
...
public static IHostBuilder CreateHostBuilder(string[] args)
{
return Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
var builtConfig = config.Build();
var secretClient = new SecretClient(
new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
new DefaultAzureCredential());
config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
})
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup<Startup>();
});
}
I am just getting the @Microsoft ...
value which I had expected to be mapped to the value from the keyvault.
Something seems off as I have to define the name of the keyvault twice, once in the SecretClient and once in the @Microsoft.KeyVault reference.
It seems I was mixing two methods of getting secrets from the KeyVault.
What I added in Program.cs
was a configuration provider that maps secrets into the configuration collection. Putting a breakpoint in Startup.cs
and inspecting the value in the configuration collection validated this.
What I should have done is named the secret Secret--One
which will map and override the local config value { "Secret: { "One" : "..." } }
. Cannot use :
or __
used in Environment Variable config mapping as those characters are not supported in secret names.
Feel I am still missing something here so please update in comments or another answer.
If, on the other hand, you want to override config values using Environment Variables set on the Azure Application Settings (App Service Configuration) blade, then you can use KeyVault References.
The issue with this is that you still need another method to ensure you don't keep secrets locally and risk committing them to source control.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.