Azure Storage Blob Key Store for Microsoft.AspNetCore.DataProtection
The Azure.Extensions.AspNetCore.DataProtection.Blobs
package allows storing ASP.NET Core DataProtection keys in Azure Blob Storage. Keys can be shared across several instances of a web app. Apps can share authentication cookies or CSRF protection across multiple servers.
Getting started
Install the package
Install the package with NuGet:
dotnet add package Azure.Extensions.AspNetCore.DataProtection.Blobs
Prerequisites
You need an Azure subscription, Storage Account and Storage Container to use this package.
To create a new Storage Account, you can use the Azure Portal, Azure PowerShell, or the Azure CLI. Here's an example using the Azure CLI:
az storage account create --name <storage-account> --resource-group <resource-group> --location westus --sku Standard_LRS
az storage container create --account-name <storage-account> -n <container>
# Give write access to a user
az role assignment create --role "Storage Blob Data Contributor" --assignee <your_email> --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"
# OR give write access to a service principal (application)
az role assignment create --role "Storage Blob Data Contributor" --assignee-object-id <application_id> --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"
Key concepts
Thread safety
We guarantee that all client instance methods are thread-safe and independent of each other (guideline). This ensures that the recommendation of reusing client instances is always safe, even across threads.
Additional concepts
Client options | Accessing the response | Long-running operations | Handling failures | Diagnostics | Mocking | Client lifetime
Examples
To enable persisting keys to Azure Blob Storage call the PersistKeysToAzureBlobStorage
method. The Uri
provided has to be a blob URI in the following form https://{storage_account}.blob.core.windows.net/{container}/{blob}
.
public void ConfigureServices(IServiceCollection services)
{
services
.AddDataProtection()
.PersistKeysToAzureBlobStorage(new Uri("<full-blob-URI>"), new DefaultAzureCredential());
}
The Azure Identity library provides easy Azure Active Directory support for authentication.
Authenticating using a connection string
public void ConfigureServices(IServiceCollection services)
{
services
.AddDataProtection()
.PersistKeysToAzureBlobStorage("<connection string>", "<container name>", "<blob name>");
}
Next steps
Read more about DataProtection in ASP.NET Core.
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit cla.microsoft.com.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Azure SDK for .NET