Microsoft Azure Key Vault
For.NET Core APIs and Function Apps
In this article, I’ll explain how to connect Azure Key Vault to.NET Core 6.0 and later APIs, as well as Azure Function Apps.
Prerequisites
- Azure Portal Access
- Function Apps and App Service
- .NET Core Project
Why Azure Key Vault
Azure Key Vault is a cloud service that helps to access application secrets such as certificates and passwords. API Keys, API Authentication Credentials, and many more.
A stored secret can be accessed via a REST API. Every vault has a unique URL. Azure Key Vault is designed to store only the secrets related to the app. It will not be used to store information related to app users.
All actions performed with Azure Key Vault need authentication and authorization. Due to that, there’s no way to grant any kind of anonymous access to the application secrets. Azure Key Vault’s API uses Azure Active Directory to authenticate users and apps.
Configuring Azure Key Vault in Azure Portal
When creating key vaults, the best practice is to create a separate vault for each deployment environment of your applications, such as development, quality, and production, as shown below.
Create a Key Vault via the “Create” button in the Azure portal key vault by providing the basic details. Key Vault security can be enhanced by restricting access to selected public networks, as follows, or by going for a private network.
There are several built-in roles to provide role-based access to manage the key vault. Here are a few examples:
If the user needs to add or edit the Key Vault values, that person’s Active Directory email needs to be authorized for it. Based on the built-in roles, if the user is authorized as a Key Vault Secrets Officer, the user receives permission to manage the secrets in the key vault.
To read the Key Vault secrets via the apps (Function Apps and App Services), the applications need to authorize Key Vault as a Key Vault Secrets User.
Once the role-based assignment is complete, each user must be visible under Key Vault’s IAM (Access Control) as follows:
How to add secrets to the Azure Key Vault
Once the developer is added as a Key Vault Secrets Officer and the network is setup accordingly (based on the private or public network configured in the Key Vault), the developer should be able to view, add, delete, and update secrets from the following window.
How to Integrate Azure Key Vault with.NET Core 6.0 and Later APIs
As the initial step, we need to add a key-value pair with the Key Vault Uri to the App Service Configuration, which was configured as a Key Vault Secrets User.
The Key Vault Uri can be taken from the overview of the Key Vault, as shown below.
This vault URI can be saved under configuration as follows: as an Application Setting.
Once this is set up, we need to move the secrets to the Key Vault.
Let’s go through the following example to move the secrets used in the secrets or app settings file in the local development environment to other Azure deployment environments.
The values inside the connection Strings are saved under the connection string section of the configuration. Instead of saving the secrets under configurations, we can enhance the security by moving them simply to the Key Vault.
To move the connection strings to the Key Vault, we need to click on the “Generate/Import” button in the Azure Key Vault configured as a Key Vault Secrets User with the Azure Function App.
The following window will appear when clicking on the “Generate/Import” button. Provide the same name provided in the local settings file and Azure Function App configuration and save the secret value.
Once saved, the secret needs to be in enabled status to use it. By following the same steps, we can add multiple numbers of secrets.
After configuring the key vault and the app service. .NET Core must update the Program.cs file (6.0 and later) with the following code base. The app configuration refers to a key-value pair called VaultUri. Then the relevant secret value is picked up to configure the application.
P.S.: The following code base is for.NET Core 6.0 and later. The older version code is slightly different as it needs to update in the StartUp.cs file.
Once this code base is deployed to the deployment environment, the API app should retrieve the relevant data from the Key Vault and perform as expected.
How to integrate Azure Key Vault with Azure Function Apps
Let's go through the following example, to move the secrets used in the local settings file in the development environment to other Azure deployment environments.
The values inside the connection strings are saved under the connection string section of the configuration. Instead of saving the secrets under configurations, we can enhance the security by moving them simply to the Key Vault.
To move the connection strings to the Key Vault, we need to click on the “Generate/Import” button in the Azure Key Vault configured as a Key Vault Secrets User with the Azure Function App.
Following window will appear when clicking on the “Generate/Import” Button. Provide the same name provided in the local settings file and Azure Function App Configuration and save the Secret Value.
Once saved the secret need to be in enabled status to use it.
After you save the secret, double-click on the saved name in the list of secrets to see the version numbers.
From this view, developers can add a new version of the secret. Once we double-click a version (or the latest version) we can view the Secret Identifier (URL to access the secret) which needs to be mapped with the Azure Function App.
This URL needs to be added as a value in the Function App Configuration. When it is successfully saved, the source will update as “Key vault Reference” alone with a green tick.
Once this is saved the Function App should retrieve the relevant data from the Key Vault and perform as expected.
I hope this article helps you add additional security to your project.
I wish you good luck in improving the security of your project by configuring the Azure Key Vault!
Follow me for upcoming articles….
If you like this article, let us know with your claps!
