As more and more applications moving into the cloud, the more and more securities that need to be handled carefully. Normally for WebApps whether it’s a .NetFramework (or) .NetCore all the configuration and secrets were kept in `web.config` (or) `appsettings.json` all the connection string/ApplicationId/ApplicationSecrets/Passwords were stored in those configurations. But this should not be kept as directly in the configuration which is less secure.
Now, in this blog, I’ll explain how to manage secrets in your WebApps that is built on .Net Core 2.1. I’ll majorly talk about 2 ways to achieve this.
- User Secrets
- Azure KeyVault Secrets
- Visual Studio 2017 Version 15.8.x or above
- Microsoft Azure Subscription
I’ve created a WebApp project called DemoSecrets, as a typical way all the configuration will get from appsetting.json
Slightly modified the homecontroller as below
Finally the output
This will be more useful for developers, the secrets that can be stored in their local machine as (secrets.json)
Make sure you have the latest VS Version(15.8.1) else the below menu will not available to you
Store your the connection string here (for local development/debugging)
This secrets.json can be found at %APPDATA%\microsoft\UserSecrets\<userSecretsId>\secrets.jsons
Now, this value will override your existing value of myconnectionstring in the appsetting.json
Finally output like
In this step, we are going to store our secrets in AzureKeyVault(Which is the more secure way)
Install the below nugetPackage
Then modify your Program.cs as below
- Create a new Azure KeyVault in Azure
- Create a new Application Registration in your Azure Active directory
- Register the Application into the KeyValut (AccessPolicies)
Note the Client Id and Client Secret from the above steps ( We need to pass those from our application)
Create a new secret called myConnectionString in the AzureKeyVault
Add 3 new variables(below) in appsetting.json for accessing the AzureKeyVault (like below)
Finally, the magic comes here, the output will be
Great! We did it. So all the secrets were stored/access securely from AzureKeyVault.
This way the value fo myConnectionString from azureKeyVault is overriding the local user secrets.json
So what will be the priority order of Overriding the config values?