Skip to content

Latest commit

 

History

History
75 lines (56 loc) · 3.7 KB

File metadata and controls

75 lines (56 loc) · 3.7 KB

NOTICE!

Don't mind this repo, it's no longer relevant since Microsoft now have implemented support for refering to a secret without declaring the version of the secret!


AzureKeyVaultConfigProvider

This nuget package gives you an alternative to Azure Key Vault References that provides the following benefits:

  • The one major downside when it comes to key vault references is that you have to know the secretVersion (GUID) of the secret you're referencing. This becomes a problem when the development teams don't have access to the key vaults in the production environment. This nuget package removes the need to include the secret version when referencing a key vault secret. Using this package makes it possible to declare key vault references looking like this: @AzureKeyVault(mysecret, https://myvault.vault.azure.net/)

  • With this package you won't have to repeat the base url of the key vault to be used. All you have to do is to declare the configuration parameter AZURE_KEY_VAULT_URL once, looking something like this:

// appsettings.json
{
	"AZURE_KEY_VAULT_URL": "https://myvault.vault.azure.net/",
	"SENDGRID_API_KEY": "@AzureKeyVault(SENDGRID_API_KEY)",
}

Isn't that nice and clean looking? Having to repeat the key vault url is of course no major problem. But it becomes tidious to manage when having a lot of secrets and the url to the vault changes.

Setup

After that you've installed the package using nuget you have to invoke the extension method VikJon.AzureKeyVaultConfigProvider.AddAzureKeyVaultWithNameRefSupport on the ConfigurationBuilder of your .netcore app. This usually looks something like this in Program.cs

using Microsoft.AspNetCore;
using Microsoft.AspNetCore.Hosting;
using VikJon.AzureKeyVaultConfigProvider;

public class Program
{
    public static void Main(string[] args)
    {
        CreateWebHostBuilder(args).Build().Run();
    }

    public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
        WebHost.CreateDefaultBuilder(args)
            .ConfigureAppConfiguration((hostingContext, config) =>
            {
            	config
                  .SetBasePath(Directory.GetCurrentDirectory())
                  .AddJsonFile($"appsettings.json", optional: true, reloadOnChange: true)
                  .AddEnvironmentVariables()
                  .AddCommandLine(args)
		  .AddAzureKeyVaultWithNameRefSupport()
            })
            .UseStartup<Startup>();
}

Notice! You should not invoke config.AddAzureKeyVault on the ConfigurationBuilder

Now you can start referencing key vault secrets using the following syntax @AzureKeyVault([SECRET_NAME], [KEY_VAULT_URL:optional])

// appsettings.json
{
	"AZURE_KEY_VAULT_URL": "https://myvault.vault.azure.net/",
	"SENDGRID_API_KEY": "@AzureKeyVault(SENDGRID_API_KEY)"
}

You have the option to provide the base url of your key vault instance on every call to @AzureKeyVault(...) or you can add a single configuration parameter named AZURE_KEY_VAULT_URL, containing the base url.

Authentication

This package takes for granted that you're using Managed Identites to authenticate against the key vault. If that is not the case you need to implement VikJon.AzureKeyVaultConfigProvider.IKeyVaultGateway and provide the extension method AddAzureKeyVaultWithNameRefSupport with an instance of that implementation.