Search code examples
c#azureazure-keyvaultappsettingsapp-secret

How does an app recognize secrets in a key vault using the same syntax as locally?

I'm managing secrets by dotnet user-secrets init/set command (as documented here). Now, as I'll be deploying to Azure, I want to use the key vault (as documented here) configured by az keyvault create/set.

Naturally, what I want is that the locally set secret created like this:

dotnet user-secrets set "Foot:Left" "Stinks"
dotnet user-secrets set "Foot:Right" "Stinks2"

will in Azure pick the values set by the following:

az keyvault secret set --vault-name "kv-shhh" --name "Foot--Left" --value "Stinks"
az keyvault secret set --vault-name "kv-shhh" --name "Foot--Right" --value "Stinks2"

What I can't see in the docs is the infromation on how the code will know which key vault to use. In my case, I only have a single one, the kv-hush-hush but there might be other key vaults in another resource groups. They may in fact, be key vaults in my resource group.

A colleague suggested that the strategy may be to only pick secrets from within the resource group the application is served from (and if there are multiple ones, they values would impose onto each other somehow). However, looking for any confirmation or refutal of that theory, we found nothing.

How do I tell the application to use the values from the key vault once I serve it from the cloud?

I've seen solutions like this one but that's relying on the key vault for both local development and hosted production. I'd prefer to have my secrets on my machine so I don't rely on the internet connection.

edit

Based on the comments and docs for AddAzureKeyVault(...), I added the following sample to my Program.cs.

string vaultName = "kv-name-on-my-vault";
string vaultUri = $"https://{vaultName}.vault.azure.net/";
builder.Configuration.AddAzureKeyVault(
  new Uri(vaultUri),
  new DefaultAzureCredential());

However, I'm pretty certain that it won't let me get the keys. Otherwise, anybody with the valutName would be able to. What am I missing?

I'm sensing that it's controlled by the Access policies section in the properties of the key vault. However, I feel unsure how to explain to the vault that my application (or, possibly, any application in its resource group) is trusted to read the vault. Also, I feel totally lost how I'd explain than my local application should be let into the vault.

I suspect that the docs cover that but I'm not seeing it due to lack of experience with the Azure key vaults.

Solution

  • As the image below shows, you can add many configuration sources to your ASP.NET Application, and when you add AKV, it is added to this configuration setup. In this case, the AKV based configuration will be imposed at the end, after command line arguments (the principle of latest addition being most significant).

    enter image description here

    Regarding security, by default, it gets your Azure credentials using the DefaultAzureCredential Class, and it will look around your machine for your Azure Credentials and uses it to allow you access to AKV.

    Only users with the correct credentials can access it.

    If enabled, then

    DefaultAzureCredential will search these sources (in order):

    • EnvironmentCredential
    • WorkloadIdentityCredential
    • ManagedIdentityCredential
    • AzureDeveloperCliCredential
    • SharedTokenCacheCredential
    • VisualStudioCredential
    • VisualStudioCodeCredential
    • AzureCliCredential
    • AzurePowerShellCredential
    • InteractiveBrowserCredential