Using Azure Key Vault from a non-Azure App

In this article, I show how Azure Key Vault can be used with a non Azure application. An example of this, is a console application used for data migrations, or data seeding during release pipelines. This app could then read the secret connection strings from the Key Vault, and then do the app logic as required.

Code: https://github.com/damienbod/AspNetCoreBackChannelLogout

Posts in this series:

Create a Key Vault

You can create an Azure Key Vault by following the Microsoft documentation here:

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-get-started

Or using the Azure UI, you can create a Key Vault by clicking the “+ Create a Resource” blade and typing Key Vault in the search text input.

Fill out the inputs as required.

Now the Key Vault should be ready.

Create an Azure AD Application

To connect from a non Azure application, an Azure AD Application Registration needs to be added. Click Azure Active Directory, and then in the new blade App registrations (Preview). This will probably be renamed soon. Click the New registration.

In the new blade, Register a new application. Give it a name and save.

Wait a bit, and the AAD Application registration will be created. Save the Application (client) ID somewhere as this is required in the code.

Now a secret for the AAD Application registration needs to be created. Click the Certificates & secrets button, and then New client secret.

Configure the secret, give it a description and define how long it should remain active.

Save the secret somewhere, as this is required in the code, to access the Key Vault.

Configure the Azure Key Vault to allow the Azure AD Application

In the Azure Key Vault, the AAD Application registration needs to be given access rights.
Open the Key Vault, and click the Access policies. Then click the Add new button.

Select the AAD Application registration principle which was created before. You can find this, by entering the name. In this example, it was called standalone. Then give it the required permissions and save.

Also save when you re-enter to the Key Vault blade after clicking save.

Create your Standalone Application and use the Azure Key Vault

Now the application, which can be run anywhere, and use the Key Vault secrets, can be configured and created. In this example, a console application is created, which uses the Microsoft.AspNetCore.App and the Microsoft.Extensions.Configuration.AzureKeyVault.

You could also create a web application, or whatever. A console application could be used for example, to do migrations or data seeding in a build pipeline.

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>netcoreapp2.2</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.App" Version="2.2.1" />
    <PackageReference Include="Microsoft.Extensions.Configuration.AzureKeyVault" Version="2.2.0" />
  </ItemGroup>

  <ItemGroup>
    <None Update="appsettings.json">
      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
    </None>
  </ItemGroup>

</Project>

Now configure the application to use the Key Vault. This is done using the AddAzureKeyVault extension method, with the 3 parameters using the data from above; the DNS name of the Key vault, the AAD Application Registration Application ID, and the Secret.

var dnsNameKeyVault = _config["DNSNameKeyVault"];

if (!string.IsNullOrWhiteSpace(dnsNameKeyVault))
{
  configBuilder.AddAzureKeyVault($"{dnsNameKeyVault}",
   _config["AADAppRegistrationAppId"], 
   _config["AADAppRegistrationAppSecret"]);

  _config = configBuilder.Build();
}

The program reads the configuration from the app settings, adds the services, and displays the Key Vault secret.

using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using System;
using System.IO;
using System.Reflection;

namespace ConsoleStandaloneUsingAzureSecrets
{
    class Program
    {
        private static IConfigurationRoot _config;
        private static IServiceProvider _services;

        static void Main(string[] args)
        {
            Console.WriteLine("Console APP using Azure Key Vault");

            GetConfigurationsForEnvironment();

            SetupServices();

            // read config value
            var someSecret = _config["SomeSecret"];

            Console.WriteLine($"Read from key vault: {someSecret}");
            Console.ReadLine();
        }

        private static void SetupServices()
        {
            var serviceCollection = new ServiceCollection();

            // Do migration, seeding logic or whatever

            _services = serviceCollection.BuildServiceProvider();
        }

        private static void GetConfigurationsForEnvironment()
        {
            var environmentName = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
            var location = Assembly.GetEntryAssembly().Location;
            var directory = Path.GetDirectoryName(location);

            Console.WriteLine($"{directory}{Path.DirectorySeparatorChar}appsettings.json");
            Console.WriteLine($"{environmentName}");

            var configBuilder = new ConfigurationBuilder()
           .AddJsonFile($"{directory}{Path.DirectorySeparatorChar}appsettings.json", false, true)
           .AddJsonFile($"{directory}{Path.DirectorySeparatorChar}appsettings.{environmentName}.json", true, true)
           .AddEnvironmentVariables();
            _config = configBuilder.Build();

            var dnsNameKeyVault = _config["DNSNameKeyVault"];

            if (!string.IsNullOrWhiteSpace(dnsNameKeyVault))
            {
                configBuilder.AddAzureKeyVault($"{dnsNameKeyVault}",
                        _config["AADAppRegistrationAppId"], 
                        _config["AADAppRegistrationAppSecret"]);

                _config = configBuilder.Build();
            }
        }
    }
}

The appsettings.json file contains the values used above. If this was a real application, you should not save the secret to the app settings. These values could be left empty, and set during a deployment, for example using Azure Devops. Or in a web application, you could use user secrets.

Thes values here are no longer valid. If you want to run the code locally, these need to be set to correct values.

{
  "DNSNameKeyVault": "https://standalone-kv.vault.azure.net/",
  "AADAppRegistrationAppId": "7faea48d-141e-41f9-9d9e-4ec9fd93ead0",
  "AADAppRegistrationAppSecret": "OWs6u2hY{F$UjXB5j7l&&DeNk9+$at{y/!pg!1Xh8MB@L",

  "SomeSecret": "DEV_VALUE"
}

You must also configure a secret in the key Vault which will be read in the standalone

Running the Application

Using the Key vault values:

When the application is started, with correct Key Vault and AAD application registration values, the configuration is read from the Key Vault.

If the DNSNameKeyVault property is not set, the development settings in the appsettings.json is used.

Links

https://social.technet.microsoft.com/wiki/contents/articles/51871.net-core-2-managing-secrets-in-web-apps.aspx#AzureKeyVault_Secrets

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-developers-guide

https://jeremylindsayni.wordpress.com/2018/03/15/using-the-azure-key-vault-to-keep-secrets-out-of-your-web-apps-source-code/

https://stackoverflow.com/questions/40025598/azure-key-vault-access-denied

https://cmatskas.com/securing-asp-net-core-application-settings-using-azure-key-vault/

https://github.com/jayendranarumugam/DemoSecrets/tree/master/DemoSecrets

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-developers-guide

https://jeremylindsayni.wordpress.com/2018/03/15/using-the-azure-key-vault-to-keep-secrets-out-of-your-web-apps-source-code/

https://stackoverflow.com/questions/40025598/azure-key-vault-access-denied

https://cmatskas.com/securing-asp-net-core-application-settings-using-azure-key-vault/

https://github.com/jayendranarumugam/DemoSecrets/tree/master/DemoSecrets

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: