including Azure Key Vault in .NET core 8 app running on on prem IIS

Richard Scannell 406 Reputation points
2024-12-20T12:16:01.42+00:00

My .NET core 8 app talks to Azure Key Vault when I run it in Visual Studio 2022 because I can see a reference to Azure Key Vault in the Connected Services under the project. The app does not start on the IIS server, because of an authorization fail in Program.cs at the following point:

var kvUri = $"https://{builder.Configuration["AppConfig:KeyVaultUrl"]}.vault.azure.net";

builder.Configuration.AddAzureKeyVault(new Uri(kvUri), new DefaultAzureCredential());

I have seen a suggestion to get this working by setting Environment variables for AZURE_TENANT_ID, AZURE_CLIENT_ID & AZURE_CLIENT_SECRET. In IIS, clicking on Management >> Configuration Editor creates a WEB.CONFIG file in the root of the site, whose values are ignored by calls to

Environment.GetEnvironmentVariable("MyEnvVar");

Environment.GetEnvironmentVariables();

The values from AppSettings.JSON are taken instead.

How do I create an environment variable which is readable by the .NET core app, and which is secure? I dont understand how appsettings.json, & launchsettings.json are not secure enough to store database passwords, but are OK for storing the values for Azure Tenant ID, Client ID & Secret which are used to open the Key Vault.

Thanks in advance

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,343 questions
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,706 questions
0 comments No comments
{count} votes

Accepted answer
  1. Tiny Wang-MSFT 2,981 Reputation points Microsoft Vendor
    2024-12-20T13:14:15.5033333+00:00

    Hi Richard, you are now working on integrating Azure key vault into your .Net 8 application. So that we have to get the application authorized so that it could access Azure resource. In your code sample, it's using new DefaultAzureCredential() to get authorization. For this method, you might refer to this section.

    User's imageAs you can see, credentials can be provided in many steps, setting environment variable is one of the options. You just need to add the required environment variable in windows system, then the

    DefaultAzureCredential method would do authorization task automatically. It firstly checks the environment variable, if failed, then goes into the next step.

    User's image If you prefer to use Azure Managed Identity to do the authorization, you can use codes below.

    builder.Configuration.AddAzureKeyVault(
           new Uri("https://vaultName.vault.azure.net/"),
           new DefaultAzureCredential(
               new DefaultAzureCredentialOptions { ManagedIdentityClientId = "userManagedIdentityClientId" }//required when using user ManagedIdentity
           ));
    

    If you are working locally using Visual Studio, and you already used your Microsoft account signed in VS, it can also help do the authorization. I don't think you need to worry about security issue as the authorization occurs in the server side and it's controlled by SDK itself. You just need to choose the most suitable approach for your business.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,

    Tiny

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Bruce (SqlWork.com) 68,716 Reputation points
    2024-12-20T14:29:05.0333333+00:00

    the issue is that the appsettings are typically checked into source control. you only want the connection secret on the server. the handy way to pass extra config setting outside the app setting is via environment variables. most webserver hosts have a way to pass environment variables to an asp.net core application.

    you appear to be using IIS, so the environment variables are set in aspnet hosting module web.config. IIS supports encrypting the web.config.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.