Stop Putting Your Asp.Net Core Secrets at Risk - Use Azure Key Vault!
ฝัง
- เผยแพร่เมื่อ 31 ก.ค. 2024
- Managing Asp.Net Core secrets with Azure Key Vault is often tricky. And the reason for this is that the official documentation is hard to follow and tutorials are either outdated, not working or teach you BAD stuff. Also, manaing Asp.Net Core secrets with Azure Key Vault is tricky because we need to find a setup that works both on local development and on Azure Web Apps for instance. But I got you covered! In this video I show you from scratch how to manage Asp.Net Core secrets with Azure Key Vault the right way and in around 15 minutes. After this video, you'll find any other resource useless! Pinky swear!
#aspnetcore #azure #dotnet
Join this channel to get source code access and other perks:
/ @codewrinkles
Also follow me here (especially if you are a self taught developer):
✅My other channel: / @danpatrascutech
✅Facebook: / danpatrascutech
✅Instagram: / danpatrascutech
✅TikTok: / danpatrascutech
✅Newsletter: www.danpatrascu.tech/
Content:
1. Intro: 00:00
2. The Documentation problem: 00:33
3. Initial setup overview: 01:40
4. Create Azure Key Vault: 02:57
5. What's the challenge? 04:50
6. Azure Key Vault as configuration source: 05:27
7. Understand DefaultAzureCredential: 07:00
8. Introducing Azure managed identities: 10:20
9. System vs user assigned managed identities: 11:50
10. Azure Key Vault Access Policies: 12:34
11. Wiring it all up! 14:17
12. Recap: 14:59
My setup:
Camera - Canon EOS M50 Mark II: amzn.to/3SJxS4d
Lav mic - Rode Lavalier GO Professional: amzn.to/3mmZS1B
Condenser mic - Shure SM7B: amzn.to/3JaqjQN
Audio console - Rodecaster PRO II: amzn.to/3KTVMIg
Laptop - Dell Latitude: amzn.to/3KV4SEW
Monitors - Benq 27 inch: amzn.to/3JbM6aU
Lights - 2x Godox SL-60W: amzn.to/3KV3qCj - วิทยาศาสตร์และเทคโนโลยี
You're the man, Dan! This is the best tutorial on the topic I've found.
This is one of the best. Clear and precise. Good job ! Love from Bangladesh
Thanks for watching. Love back from Romania!
Three hours to find this videos. !5 minutes to get things to work. Excellent!
In the end, I'd say it's a success! I'm glad it was helpful. Make sure to subscribe, so that you don't spend other 3 hours searching for stuff you might find here :)
exactly. As a fresher, helped a lot. now manager won't shout at me 😉
A very useful and much needed video. Thank you.
Always waiting for your new videos, it's really help me and encourage me to learn and use concept with new way. Thank you very much.
Happy to hear that! Thank you for watching.
Thank you very much, it will try it soon
Really useful and simple. Can't like it enough
Short, clear and concise. If only this had been uploaded back in December. Nevertheless, I will be using it from now on (:
Glad you liked the video.
you just got a new subscriber.
And I dont usually subscribe to anyone to keep my yt feed cleaner.
Many thanks .
Thanks for the sub! I really appreciate it. Hope to not disappoint in the future :)
Thanks for very clear explanation!
You are welcome!
Awesome video @codewrincles, you explain how to use key vault concept very simple way. I gone through lots of documents, but your 16 min video help me to clear my most of the doubts. Thanks.
Could you please cover azure function with real time scenario. Like input and output bindings.
I'm glad the video was useful to you. I will for sure cover also Azure Functions, probably in a lot of videos. I'm just getting the Azure series started. That's the 4th video only :)
Bro u are fking awesome! Thank you for this. Clear, on spot, nice examples....
Glad you found it useful. Thanks for watching!
Simple and helpful!
Glad you enjoyed it.
very helpful. does it work if the app service is container base?
So if i sign out of Azure from the web on my pc, the key-vault will stop working in the C# code ?
What if i host my application on-premise ? should i signin to azure form the server to get it authenticate the key-vault in my C# code ?
Excellent video, indeed. Thanks!
I would like to suggest that it could be beneficial to mention the order in which the secrets are added to the configuration object. Based on my experience using this configuration, it appears that secrets are loaded from KeyVault at the end. Therefore, if there is a configuration key with the same name as a secret in KeyVault within the Azure App Service, the value from KeyVault will be present in the configuration object at the end.
Thank you for watching. I have talked in dept about the order of configuration keys and how this might brake our apps in the video about configurations that I also mentioned in this one: th-cam.com/video/5TxnLU-SXVg/w-d-xo.html
Also with practical demos to show how things happen.
the developer will be able to debug the code and inspect the connection string and the secrets after they are returned from azure ? So we're just hiding the secretes from viruses and cyber attacks ?
Thank you very much!
Glad you enjoyed it. Thanks for watching.
my man where were you hiding
great content overall thanks
Appreciate it! More to come!
Sure, here's the edited version of the TH-cam comment:
Great video! I have a question: When you create an enabled identity on the web app and then create the access policy so that the application can access it, do you need to make any code changes? From what I saw in the video, it didn't seem like you had to change any code. So, does the Azure Default Identity work when the application is running in Azure? So no code changes are required?
If you use the system assigned managed identity, then no change should be required in the code. If you use a user assigned managed identity, then you need to provide the Object identifier for that identity either in code or as an environment variable.
This video could be on the Microsoft Learn page by default. Easier and better to understand the KeyVault, than other learning materials.
Thank you for the kind words. Feel then free to share it wherever you can. That would probably help a lot of people.
I feel the same here
@@nove1398 Same goes for you. Feel free to share it wherever you think there are people that would find in useful: at work, friends, social media, forums. That would be highly appreciated.
how is the cost would increase since we retrieve the connection string directly from Azure Key Vault ?
What cost exactly? Bot the Azure webapp and the KeyVault reside inside Azure, in the same region. So, I wouldn't be too worried about that in terms of network latency.
Thanks for the video, What about azure keyvault- azure kubernetes integration?
Wonderful
Good content.
You should also start producing content for Azure service fabric, function and service bus
Have u also looked into Azure app configuration?
I have just started the Azure videos on this channel. I'll get probably in most of the topicsyou mentioned. Thank you for watching and commenting!
Great Work, what happens if you deploy to different environments(dev, QA and Prod), your vault will have different secrets, how do you then update you Program.cs to read different secret based on the environment?
First of, you just create the needed secrets for each environment. In your app you than use the secrets based on the environment you are currently in.
You'll have to create 3 managed identities for each of the web apps and assign permissions. An alternative here would be to create one user assigned managed identity and use it for all the environments. This would actually be a scenario where a user assigned managed identity would make sense.
@@Codewrinkles I've used a separate keyvault for each environment. that way I only have to change they keyvault url in appsettings. any downsides to that?
I wouldn't say it's a problem or downside, but companies tend to usually have more consolidated key vaults, as they would contain keys, secrets and certificates used throughout all the Azure resources.
@@Codewrinkles that makes sense
AddAzureKeyVault is now updated and now requiring different arguments:
(string vault, string clientId, string clientSecret)
But why do I need to manually give clientId and clientSecret when I already have valid credentials through DefaultAzureCredential(); ?
TBH, I'm not sure about this change. This video is not that old. I will investigate. But it seems very odd to me.
@@Codewrinkles I found a solution, I was able to do it with this code here:
string keyVaultUrl = builder.Configuration.GetSection("KeyVaultUrl").Value!;
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
builder.Configuration.AddAzureKeyVault(keyVaultUrl, keyVaultClient, new DefaultKeyVaultSecretManager());
any updates on this, could you tell from what packages its comes from, i did not find it anywhere
@@Codewrinkles
Excellent job, thank you. But can you make a video like this with Terraform? I mean, by using Terraform to create the key vault, the secret inside the key vault and then access the secret from the secret vault with Terraform and Azurerm provider. Thank you in advance.
Thanks for the idea! I guess infrastructure as code topics is something that I'll cover sooner rather than later.
What is the difference between system generated and user generated managed identity? Also could you please cover app configuration with keyvault together for next topic?
I explained the difference in the video. Maybe you have skipped that part :)
thanks
You're welcome!
Create video, this was very informative! We just implanted this with success, but we also noticed that it takes about 12 seconds to retrieve just one secret. Has anyone noticed this or discovered workaround(s)?
I assume there's a networking problem somewhere. Retrieving secrets is and should be very fast.
what about Cache the secrets? the way you did it now you'd have to pay for every read operation on a secret. You need to Cache the secrets and reuse from memory whenever possible right?
That sounds like a valid point and idea.
14:20 Theres nothing wrong with your face :)