Secure app settings in ASP.NET Core 2

Update: This post shows how to authenticate to azure key vault using app id/secret. However, this approach is less secure than using managed identity for azure resource and certificate for non-azure resource to grant the resource access to the key vault. For production environment, you should definitely consider using azure managed identity or certificate to authenticate and access azure key vault from your resource. Checkout my other post for more details.

In this blog post, I’ll show you the steps on  how to keep the credentials out of the source code of an ASP.NET Core app using Azure Key Vault.

If you want some convincing examples why leaving secrets in the source code is bad, check out this post. 

I assume you have some familiarity with developing an ASP.NET core 2 app. You also need an Azure subscription to register your application in Azure Active Directory and create an Azure key vault.

Basically the process involves these steps:

1. Register your application in AAD and generate app secret.
2. Set application id/secret using environment variables.
3. Create an Azure Key Vault.
4. Grant your app access to your key vault using access control.
5. Specify URL to your vault in app settings.
6. Load app id and secret from environment variables.
7. Read secrets from Azure Key Vault.

Checkout the sample app for this post from my Git repo.

Continue reading