Secure Configuration Values in Azure Key Vault and Consume Them in Multiple Environments Using C#

Securing configuration values is a critical aspect of modern application development. Whether it’s a connection string, API key, or database credentials, these sensitive pieces of data must be stored securely to ensure the integrity and security of your application. Azure Key Vault is a cloud service provided by Microsoft that helps securely store and access sensitive information such as secrets, certificates, and keys.

In this article, we’ll explore how to use Azure Key Vault to securely store configuration values and how to consume these values in multiple environments using C#. We will also discuss best practices for securely managing configurations across development, staging, and production environments.

What is Azure Key Vault?

Azure Key Vault is a cloud-based service that allows you to securely store and manage sensitive information like:

• Secrets: Values such as API keys, passwords, or any other sensitive data.
• Keys: Cryptographic keys used for encrypting data.
• Certificates: SSL/TLS certificates used for secure communication.

By using Azure Key Vault, developers can ensure that sensitive data is stored securely and that access to this data is tightly controlled.

Why Use Azure Key Vault?

• Centralized Storage: You can store all your secrets in one place, making it easier to manage and access.
• Enhanced Security: Secrets in Key Vault are encrypted, and access is controlled through Azure Active Directory (AAD) and role-based access control (RBAC).
• Auditing: Azure Key Vault provides detailed logging for all accesses to secrets, which can be important for compliance and debugging.
• Access Control: Fine-grained access control allows you to restrict who or what can access the secrets.

Steps to Secure Configuration Values in Azure Key Vault

1. Create an Azure Key Vault

First, you’ll need to create an Azure Key Vault. Here’s how you can do it through the Azure Portal:

1. Navigate to the Azure Portal.
2. Search for Key Vault and select Create.
3. Choose a subscription and resource group, and give the Key Vault a unique name.
4. Select a region and click Create.

Alternatively, you can use Azure CLI:

az keyvault create --name <your-keyvault-name> --resource-group <your-resource-group> --location <region>

2. Add Secrets to Azure Key Vault

Once your Key Vault is created, you can add secrets to it. For example, to store a connection string:

1. Go to the Secrets section in the Azure Key Vault.
2. Click on Generate/Import to create a new secret.
3. Provide a name for the secret (e.g., DbConnectionString) and its value (e.g., Server=myserver;Database=mydb;User=myuser;Password=mypassword).

You can also add secrets via Azure CLI:

az keyvault secret set --vault-name <your-keyvault-name> --name "DbConnectionString" --value "Server=myserver;Database=mydb;User=myuser;Password=mypassword"

3. Set Access Policies

To allow your application to read the secrets from Azure Key Vault, you need to set access policies for it. In the Access Policies section of Key Vault, you can grant Get permission to the secrets.

You can also set access policies via Azure CLI:

az keyvault set-policy --name <your-keyvault-name> --secret-permissions get --spn <your-application-client-id>

How to Consume Configuration Values from Azure Key Vault in Multiple Environments

For most applications, you may have different configurations for different environments like development, staging, and production. You can securely consume configuration values from Azure Key Vault using managed identities or client credentials.

1. Install Azure SDK Packages

To interact with Azure Key Vault in C#, you need to install the necessary NuGet packages:

dotnet add package Azure.Identity  dotnet add package Azure.Security.KeyVault.Secrets

2. Create a Configuration Service to Access Key Vault

Below is an example of a service that retrieves configuration values (secrets) from Azure Key Vault:

using Azure.Identity;  using Azure.Security.KeyVault.Secrets;  using Microsoft.Extensions.Configuration;  using System;    namespace KeyVaultDemo  {      public class KeyVaultService      {          private readonly SecretClient _secretClient;            public KeyVaultService(string keyVaultUri)          {              // Create a SecretClient using DefaultAzureCredential for managed identity or service principal authentication              _secretClient = new SecretClient(new Uri(keyVaultUri), new DefaultAzureCredential());          }            public string GetSecretValue(string secretName)          {              // Retrieve the secret value from Key Vault              KeyVaultSecret secret = _secretClient.GetSecret(secretName);              return secret.Value;          }      }  }

3. Access Configuration Values Based on Environment

To manage different environments, you can set the Key Vault URI or secret names using environment variables or a configuration file.

Here’s an example of how you can load the Key Vault URI and the secret name from appsettings.json:

{    "AzureKeyVault": {      "Uri": "https://<your-keyvault-name>.vault.azure.net/"    }  }

In your Program.cs or Startup.cs, load the configuration and call the KeyVaultService:

using Microsoft.Extensions.Configuration;    var builder = new ConfigurationBuilder()      .SetBasePath(Directory.GetCurrentDirectory())      .AddJsonFile("appsettings.json");    var configuration = builder.Build();    // Get Key Vault URI from appsettings  string keyVaultUri = configuration["AzureKeyVault:Uri"];    // Instantiate KeyVaultService and retrieve secrets  KeyVaultService keyVaultService = new KeyVaultService(keyVaultUri);  string connectionString = keyVaultService.GetSecretValue("DbConnectionString");    Console.WriteLine($"Retrieved connection string: {connectionString}");

4. Different Environments (Development, Staging, Production)

To support multiple environments, you can have different appsettings.{Environment}.json files, such as appsettings.Development.json, appsettings.Production.json, etc.

For example, in appsettings.Production.json, you could have:

{    "AzureKeyVault": {      "Uri": "https://prod-keyvault.vault.azure.net/"    }  }

In your Program.cs, configure the application to use the correct environment settings:

var builder = new ConfigurationBuilder()      .SetBasePath(Directory.GetCurrentDirectory())      .AddJsonFile("appsettings.json")      .AddJsonFile($"appsettings.{Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT")}.json", optional: true)      .AddEnvironmentVariables();

This allows your application to load configuration values from different Key Vaults based on the environment it’s running in.

Best Practices for Managing Secrets in Azure Key Vault

1. Use Managed Identity: When running your application on Azure services like App Service, Virtual Machines, or Azure Functions, use Managed Identity to authenticate your app with Key Vault. This eliminates the need for storing credentials.
2. Use Environment-Specific Secrets: Store different secrets for different environments and ensure that each environment has its own access policies.
3. Regularly Rotate Secrets: Use Azure Key Vault’s secret versioning to rotate secrets regularly.
4. Audit Access: Enable logging and monitor access to secrets to detect any suspicious activity.
5. Restrict Access to the Least Privilege: Use Azure RBAC to give access only to the resources and people who need it.

Azure Key Vault provides a secure and scalable solution for storing and managing sensitive configuration data. By integrating it with your C# application, you can ensure that your configuration values, such as database connection strings, API keys, and other secrets, are securely accessed across multiple environments.

By following best practices, such as using managed identities, regularly rotating secrets, and ensuring the least privilege principle, you can further enhance the security of your application.