How to access Azure Key Vault secrets through .Net Core Web API which is hosted in Azure Virtual Machine – C#

by
Ali Hasan
asp.net-core-webapi azure-active-directory azure-keyvault c#

Quick Fix: Use environment variables to pass authentication while accessing the secrets through DefaultAzureCredential since DefaultAzureCredential attempts to authenticate via multiple mechanisms.

The Solutions:

Solution 1: Using DefaultAzureCredential with Environment Variables

To authenticate using DefaultAzureCredential in production, set the following environment variables on the Azure Virtual Machine:

  • AZURE_CLIENT_ID: Client ID of the Azure AD application created for Key Vault access.
  • AZURE_TENANT_ID: Tenant ID of the Azure AD application.
  • AZURE_CLIENT_SECRET: Client secret of the Azure AD application.

Code Snippet:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Microsoft.Extensions.Configuration;

namespace YourApi
{
    public class Startup
    {
        public IConfiguration Configuration { get; }

        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public void ConfigureServices(IServiceCollection services)
        {
            // Create a SecretClient using DefaultAzureCredential with environment variables
            DefaultAzureCredential azureCredential = new DefaultAzureCredential();
            Uri keyVaultUrl = new Uri(Configuration["KeyVault:URL"]);
            SecretClient secretClient = new SecretClient(keyVaultUrl, azureCredential);
            
            // Use the secretClient to access Key Vault secrets
        }
    }
}

Solution 2: Using Managed Identity

To use managed identity, enable it for the Azure Virtual Machine and grant access to the Key Vault in its access policy.

Code Snippet:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Microsoft.Extensions.Configuration;

namespace YourApi
{
    public class Startup
    {
        public IConfiguration Configuration { get; }

        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public void ConfigureServices(IServiceCollection services)
        {
            // Create a SecretClient using Managed Identity credential
            ManagedIdentityCredential azureCredential = new ManagedIdentityCredential();
            Uri keyVaultUrl = new Uri(Configuration["KeyVault:URL"]);
            SecretClient secretClient = new SecretClient(keyVaultUrl, azureCredential);
            
            // Use the secretClient to access Key Vault secrets
        }
    }
}

Solution 2: Use a managed identity assigned to the VM

Steps:

  1. Enable managed identity for the VM:

    • In the Azure portal, navigate to your VM resource.
    • Click on "Identity."
    • Select "User assigned."
    • Create a new identity named "myIdentity" (or use an existing one).

  2. Assign the Key Vault role to the identity:

    • In the Azure portal, navigate to your Key Vault resource.
    • Select "Access Control (IAM)."
    • Click on "Add" and select "Add role assignment."
    • Choose the "Key Vault Secrets Reader" role.
    • Assign the role to the "myIdentity" identity created in step 1.

  3. Update the code to access the secrets:

    • Replace the existing authentication method with the following code: 
      DefaultAzureCredential credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions()
{
    ManagedIdentityClientId = "myIdentity" // Replace with the managed identity ID
});

var secretClient = new SecretClient(keyVaultURL, credential);
var secret1 = secretClient.GetSecret("secret-1");
var secret2 = secretClient.GetSecret("secret-2");

Benefits:

  • Secure: Managed identities eliminate the need to store and manage secrets within the application code, reducing the risk of data breaches.
  • Automatic authentication: Managed identities automatically handle authentication with Azure services, simplifying the development process.
  • Cost-effective: Managed identities are a cost-effective alternative to using managed service principals or external identity providers.

Q&A

In Azure virtual machine, how to access azure key vault secrets in .Net Core Web API?

Use [DefaultAzureCredential][1] to pass the authentication and access the Azure key vault secrets, but DefaultAzureCredential attempts to authenticate via multiple mechanisms. So you can set environment variable in your server to use Environment authentication, or use managed identity assigned to the VM to access the key vault.

Video Explanation:

The following video, titled "Keeping Secrets in Azure with KeyVault and Managed Identity ...", provides additional insights and in-depth exploration related to the topics discussed in this post.

Play video

Recording of my session at Azure Developer Community Day 2020 (https://www.azuredev.org/) Managing secrets like connection strings, API keys ...

Similar Posts

How to collide with some objects and ignore others? Unity – C#

[Solved] Scaffold-DbContext – CultureNotFoundException: Only the invariant culture is supported in globalization-invariant mode. par'name' en-us is an – C#

How to add a Controller to a ASP.NET Core Web API – Controller

[Solved] Roslyn warning compiling .Net Framework app – .net

[Fixed] oauth2-proxy helm kubernetes: ERROR: Failed to initialise OAuth2 Proxy: invalid provider verifier options: missing required setting: issuer-url – Oauth2-proxy

Which package should be used for versioning API controllers in .NET 7: Microsoft.AspNetCore.Mvc.Versioning or Asp.Versioning.Http? – Asp.net-core

EF Core update-database System.Globalization.CultureNotFoundException: – C#

Global Exception Handling with .NET Core 7 – C#

Azure OpenAi disable public internet access – Azure

How to use the Python openai client with both Azure and OpenAI at the same time? – Python

© 2024 ProgramingQA. All Rights Reserved.

About Contact Terms Privacy Policy