Secure secrets using Azure KeyVault -Approach II
Today in this article we will see how to secure secrets using Azure KeyVault using a non-MSI approach.
Today in this article, we will cover below aspects,
Here we will use configuration values for the below variables declaratively,
- AZURE_CLIENT_ID,
- AZURE_TENANT_ID,
- AZURE_CLIENT_SECRET.
Let’s look into step by step how to get the above-used key vault URL and define secretes value for DbPassword.
Prerequisites
Before we get started with actual Azure Vault implementation please make sure you have the below prerequisites defined already in your Azure cloud account,
- Create a Resource group( if not already exist )
- Create an App Service plan
- Create Azure WebApp (App Service) in the App service plan
For more details on the above steps, please visit this article – Secure secrets using Azure KeyVault MSI with examples
Please make sure to define variables AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_CLIENT_SECRET as Environment variables or as Application settings are defined with values.
Get Value for AZURE_CLIENT_ID , AZURE_TENANT_ID , AZURE_CLIENT_SECRET
Let’s now see how to get value for “AZURE_CLIENT_ID”, “AZURE_CLIENT_SECRET”, “AZURE_TENANT_ID” .
All these IDs (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET ) are needed to authenticate/Identify the Application with Azure cloud.
To get the defined values please go to the Azure default directory and click on the Application object
Home -> Default Directory – > App registrations
So above,
- “AZURE_CLIENT_ID” is equal to Application(client) ID as defined in the above screenshot.
- “AZURE_TENANT_ID” is equal to Directory(tenant) ID as defined in the above screenshot.
So so far we got the value “AZURE_CLIENT_ID” and “AZURE_TENANT_ID” using the above-highlighted credentials.
Next “AZURE_CLIENT_SECRET” can be generated for the application object using the below steps.
Please go to Azure Directory- > App registration -> Click on your Application
Next click on the Certificates and Secretes -> Click on New Client Secretes
private IActionResult GetClientScrets()
{
SecretClientOptions options = new SecretClientOptions()
{
Retry =
{
Delay= TimeSpan.FromSeconds(2),
MaxDelay = TimeSpan.FromSeconds(16),
MaxRetries = 5,
Mode = RetryMode.Exponential
}
};
string keyVaultUrl = _configuration["VaultURI"];
var client = new SecretClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential(),options);
KeyVaultSecret secret = client.GetSecret("YourSecreteCode");
return Ok("Your Secrete is " + secret.Value);
}
Let’s now execute the WebApp URL and verify the Vault secrets.
Approach 2 – Authenticate the Application using MSI ( Managed Service Identity
We can bootstrap the authentication code within the ASP.NET API pipeline using managed service identity feature of the Azure cloud.
Managed Service Identity (MSI) is a technique to automatically manage the identity in Azure Active Directory(Azure AD). Key Vault service can be leveraged without having any token or credentials in your code which is generally needed as the first-time validation/authentication.
For more details please visit this article- Secure secrets using Azure KeyVault MSI with examples
Other references :
Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published(2024) best practices and guidelines for software design and development.