The Solutions:
Solution 1: Using DefaultAzureCredential with Environment Variables
To authenticate using DefaultAzureCredential
in production, set the following environment variables on the Azure Virtual Machine:
AZURE_CLIENT_ID
: Client ID of the Azure AD application created for Key Vault access.AZURE_TENANT_ID
: Tenant ID of the Azure AD application.AZURE_CLIENT_SECRET
: Client secret of the Azure AD application.
Code Snippet:
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Microsoft.Extensions.Configuration;
namespace YourApi
{
public class Startup
{
public IConfiguration Configuration { get; }
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public void ConfigureServices(IServiceCollection services)
{
// Create a SecretClient using DefaultAzureCredential with environment variables
DefaultAzureCredential azureCredential = new DefaultAzureCredential();
Uri keyVaultUrl = new Uri(Configuration["KeyVault:URL"]);
SecretClient secretClient = new SecretClient(keyVaultUrl, azureCredential);
// Use the secretClient to access Key Vault secrets
}
}
}
Solution 2: Using Managed Identity
To use managed identity, enable it for the Azure Virtual Machine and grant access to the Key Vault in its access policy.
Code Snippet:
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Microsoft.Extensions.Configuration;
namespace YourApi
{
public class Startup
{
public IConfiguration Configuration { get; }
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public void ConfigureServices(IServiceCollection services)
{
// Create a SecretClient using Managed Identity credential
ManagedIdentityCredential azureCredential = new ManagedIdentityCredential();
Uri keyVaultUrl = new Uri(Configuration["KeyVault:URL"]);
SecretClient secretClient = new SecretClient(keyVaultUrl, azureCredential);
// Use the secretClient to access Key Vault secrets
}
}
}
Solution 2: Use a managed identity assigned to the VM
Steps:
-
Enable managed identity for the VM:
- In the Azure portal, navigate to your VM resource.
- Click on "Identity."
- Select "User assigned."
- Create a new identity named "myIdentity" (or use an existing one).
-
Assign the Key Vault role to the identity:
- In the Azure portal, navigate to your Key Vault resource.
- Select "Access Control (IAM)."
- Click on "Add" and select "Add role assignment."
- Choose the "Key Vault Secrets Reader" role.
- Assign the role to the "myIdentity" identity created in step 1.
-
Update the code to access the secrets:
- Replace the existing authentication method with the following code:
DefaultAzureCredential credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions() { ManagedIdentityClientId = "myIdentity" // Replace with the managed identity ID }); var secretClient = new SecretClient(keyVaultURL, credential); var secret1 = secretClient.GetSecret("secret-1"); var secret2 = secretClient.GetSecret("secret-2");
- Replace the existing authentication method with the following code:
Benefits:
- Secure: Managed identities eliminate the need to store and manage secrets within the application code, reducing the risk of data breaches.
- Automatic authentication: Managed identities automatically handle authentication with Azure services, simplifying the development process.
- Cost-effective: Managed identities are a cost-effective alternative to using managed service principals or external identity providers.
Q&A
In Azure virtual machine, how to access azure key vault secrets in .Net Core Web API?
Use [DefaultAzureCredential][1] to pass the authentication and access the Azure key vault secrets, but DefaultAzureCredential
attempts to authenticate via multiple mechanisms. So you can set environment variable in your server to use Environment
authentication, or use managed identity assigned to the VM to access the key vault.
Video Explanation:
The following video, titled "Keeping Secrets in Azure with KeyVault and Managed Identity ...", provides additional insights and in-depth exploration related to the topics discussed in this post.
Recording of my session at Azure Developer Community Day 2020 (https://www.azuredev.org/) Managing secrets like connection strings, API keys ...
The following video, titled "Keeping Secrets in Azure with KeyVault and Managed Identity ...", provides additional insights and in-depth exploration related to the topics discussed in this post.
Recording of my session at Azure Developer Community Day 2020 (https://www.azuredev.org/) Managing secrets like connection strings, API keys ...