including Azure Key Vault in .NET core 8 app running on on prem IIS

Question

My .NET core 8 app talks to Azure Key Vault when I run it in Visual Studio 2022 because I can see a reference to Azure Key Vault in the Connected Services under the project. The app does not start on the IIS server, because of an authorization fail in Program.cs at the following point:

var kvUri = $"https://{builder.Configuration["AppConfig:KeyVaultUrl"]}.vault.azure.net";

builder.Configuration.AddAzureKeyVault(new Uri(kvUri), new DefaultAzureCredential());

I have seen a suggestion to get this working by setting Environment variables for AZURE_TENANT_ID, AZURE_CLIENT_ID & AZURE_CLIENT_SECRET. In IIS, clicking on Management >> Configuration Editor creates a WEB.CONFIG file in the root of the site, whose values are ignored by calls to

Environment.GetEnvironmentVariable("MyEnvVar");

Environment.GetEnvironmentVariables();

The values from AppSettings.JSON are taken instead.

How do I create an environment variable which is readable by the .NET core app, and which is secure? I dont understand how appsettings.json, & launchsettings.json are not secure enough to store database passwords, but are OK for storing the values for Azure Tenant ID, Client ID & Secret which are used to open the Key Vault.

Thanks in advance

Answer 1

Hi Richard, you are now working on integrating Azure key vault into your .Net 8 application. So that we have to get the application authorized so that it could access Azure resource. In your code sample, it's using new DefaultAzureCredential() to get authorization. For this method, you might refer to this section.

As you can see, credentials can be provided in many steps, setting environment variable is one of the options. You just need to add the required environment variable in windows system, then the

DefaultAzureCredential method would do authorization task automatically. It firstly checks the environment variable, if failed, then goes into the next step.

If you prefer to use Azure Managed Identity to do the authorization, you can use codes below.

builder.Configuration.AddAzureKeyVault(
       new Uri("https://vaultName.vault.azure.net/"),
       new DefaultAzureCredential(
           new DefaultAzureCredentialOptions { ManagedIdentityClientId = "userManagedIdentityClientId" }//required when using user ManagedIdentity
       ));

If you are working locally using Visual Studio, and you already used your Microsoft account signed in VS, it can also help do the authorization. I don't think you need to worry about security issue as the authorization occurs in the server side and it's controlled by SDK itself. You just need to choose the most suitable approach for your business.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,

Tiny

Answer 2

the issue is that the appsettings are typically checked into source control. you only want the connection secret on the server. the handy way to pass extra config setting outside the app setting is via environment variables. most webserver hosts have a way to pass environment variables to an asp.net core application.

you appear to be using IIS, so the environment variables are set in aspnet hosting module web.config. IIS supports encrypting the web.config.