How to securely store and load secrets using Azure Key Vault in .NET Core (using a certificate)

I think this is one of the best video so far on Key Vault. Really appreciate your efforts.
So basically we can connect key vault using below technique,
1. Using Manged Identity ( System Designed),.
2. Using Client Id & Client Secret.
3. Using Client Id & Certificates.
All of these needs App Registration to grant access to Key Vault.

Best key vault tutorial/explanation out there by far! Great job 👏

I can't believe that a tutorial like this is free. Fantastic job Nick! Thank you so much.

Even in 2023 it's still useful! I just integrated a keyvault for the first time a-z myself. I used azure app configuration which has some keys mapped to key vault. So when I pull the configuration I'm getting both plain values and secret values in one shot. Thanks, Nick!

I have been finding solution for using secret keys for almost 2 days.. This is only solution that i find workable. Thankyou very much...

Great video! I think people using Azure All the way might find it easier with 2 changes:
1) Use Managed Identity for Auth (skip certificate setup + increase security by making it easier to manage later without deploying new code)
2) Use Azure App Configuration (and load secrets into Azure App Configuration using KeyVault, to get the additional audit for who accesses those keys specifically) to control config naming limitations in KeyVault in cloud
With above you will at least get a much simpler composition root - and more cloud control (remember to manage who has access to that).
I'm still missing the auto secret rotation feature which AWS has (that's really cool), but I guess there is a way to do that with some Azure Automation (just a shame it's not an out of the box feature like in AWS)

Thanks Nick for sharing your knowledge. Keep up the good work.

THIS VIDEO IS ABSOLUTE GOLD.
Thanks Nick

This was a great video and a huge time saver for me. Thank you!

Great one! Nick, keep up the good work.

Fantastic run-through!

Great video! Nick, please add to the videos the corresponding Microsoft Documentation link.
Also I hope to see soon a video on how to get the most of Azure Application Insights!!
I loved your asp.net core Rest API tutorial, learned a lot. Thank you!

Great video, Nick.

Great tutorial! Maybe use the CN instead of the Thumbprint, so if the Certificate expires you can load a new one without the need to redeploy the application!

Hi, Iove all your videos. Thanks a lot for sharing your knowledge.
Can you suggest how to reload when the values are updated in AKV?

The best! tnx

Excellent

Well done.

How about adding keys as Azure app service configuration that will later exposed to app as env variables? What's the downside of this?
Great content keep it up!

Hi, thank you so much for the detailed explanation. My project is in .NET MVC 4.6.2. Do you have any video that explains the same concept for .NET MVC?

Thanks Nick for the wonderful tutorial -
What certificate should a team purchase when application goes to Prod (since self singed certificate is recommended for Development Environment)
Thanks

Nice explanation , can you confirm if I can use same way to secure Azure function http trigger . I want to access this function from a specific application.

Hi Nick, great tutorial as always. So I'm using SQL and have DbContext setup and registered in Startup.cs which points to connectionstrings in the appsettings.json. What changes do I need to make in startup.cs for this to work.
services.AddDbContext(opt => opt.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
Any help is appreciated!

Hi Nick. Great video!
I managed in the end to make it work both locally and in the cloud. Thanks!
One question though.
You said this method is the most secure we could use in Production. What about using a system assigned managed identity ?
And regarding the Development, what is the preferred way ?
1. to connect via a service principal and use the certificate locally (I believe it would be difficult, as the certificate has to be shared across devs)
2. to be given access to the app service (and probably other clients like key vault) and using the DefaultAzureCredential, to let Azure detect the signed in user
I'm really interested about this topic and I hope others are too, so we get a reply from you!
Thanks again!

Awesome video but, given that its deprecated how do you configure it in the Program.cs file in Core 6.0 since the Startup file is no longer a thing?

Great tutorial. By the way which editor you are using? It looks different from Visual Studio and VS Code.

so hyped for the azure series!
any chance of it including eventbus?

Hi Nick, Very well explained this is a good learning. Would you please share the code. In the Github i didn't find this. Thanks in Advance

@Nick Chapsas, you have not implemented this project through managed identity, rather through certificate. But I heard in case of azure Key vault managed identity approach is much better than certificate. Am I correct? Will you please share your thought on my doubt?

Liked the video even before watching it. Hope you doing well.

I'm just a beginner with regards to understanding https, certificates and storing secrets in .NET. In Azure Portal, when I created the key vault, under /certificates I see that you can just generate one. Is it stupid to do that, download it and the upload for the app registration?

Hello there!
Can I ask some questions?
1) Should we use (I mean by your opinion and recommendation) azure key vault for store DB creds etc?
2) Did you hear about "git secret"? What do you think about that way?
3) As I understood, certificate is strongly recommended, but not necessary? Am I right? Can we configure certificate in appSettings.json? I remember smth like that in .Net Framework and web.config times.

@Nick Chapas where is code of this project in your repository? I couldn't find that. Will you please share link of code for this demo project?

Can we use secret name as APP_ENV in azure key vault. I tried it and it says i cannot use special characters like _

Great tutorial Nick, where can I get the source code? I could not find it in your Github Repositories

I think you can get openssl from Gti here: C:\Program Files\Git\usr\bin

Could you give a diagrammatic/high-level idea of what exactly are you doing?

Hi Nick,
First of all very good article. It really helped me what i wanted to achieve. I will be greatful to you if you can help me with following queries. I am really stuck at present.
This way of certificate works on when you host it on windows server or running in windows locally. How we can make it run in Linux server? How we can setup the development env in a mac machine?
My application is a Service Oriented Architecture. The services are consumed by mobile and web app. So in development env I host the services locally in IIS, so that i can debug service code with mobile/web code. But the certificate is not picked up by the service so it is not be able to connect to the azure key vault.
A timely response is highly appriciated.
thanks

is this applicable to Asp.Net MVC?

Hi Nick, I have followed the video and when I deploy I got the error "Could not find certificate with thumbprint 558318C0DB6999F4AD1163A1xxxxxxxx". How can I solve that error.
Tks for your reply Nick

Hi Nick,
I've getting the "Certificate is not installed" exception thrown. Any idea what I could be missing? I've posted a question here" stackoverflow.com/questions/61513887/cannot-find-certificate-azure-net-core-app
Thanks!

It looks like you'll have some additional administration to perform each year, when your certificates expire. Why not use "Identity", and "DefaultAzureCredential()". That way you won't have this problem. You would not even have to use KeyVault, you could just allow your production server access to your DB in AzureAD using RBAC. In development you get a nice single sign-on experience as well, and no passwords anywhere...

That means there is no consistent experience on the config for multiple environments such as local development environment.

Microsoft.extensions.azurekeyvault is deprecated

This crying out for a utility (script?) and a utility library!

The best tutorial I have seen, as I know I spent some time figuring out how to do this myself, but there's somethings that are "no bueno" and overcomplicate it.
First of all, from the Microsoft documentation literally says...
"Don't use prefixes on key vault secrets to place secrets for multiple apps into the same key vault or to place environmental secrets (for example, development versus production secrets) into the same vault. We recommend that different apps and development/production environments use separate key vaults to isolate app environments for the highest level of security."
The single keyVault seems problematic and complicates how you access the secrets.
The prefix is totally unnecessary with the per app/per env vault and eliminates the need entirely for implementing the secret manager. Also, by default, if the names follow the structure of the data in the appsettings, they'll be replaced. Again, making implementing secret manager unnecessary.
KeyVault Name: FakeConfiguration--Prop1
Appsettings Field: FakeConfiguration: { Prop1: ???}
The value from the vault will magically replace it, as they're equivalent. There's literally no need to complicate it unless absolutely necessary.
Useful documentation I used...
docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.2#use-application-id-and-x509-certificate-for-non-azure-hosted-apps-1
docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.2#bind-an-array-to-a-class-1
oh yeah. If you don't want to load them all during startup, you can also access them individually via the SecretClient
docs.microsoft.com/en-us/dotnet/api/overview/azure/security.keyvault.secrets-readme-pre

Hello Nick. How can put Token into my Header request in SecretClient? I can take secrets with pure HttpClient. But With Secret Client I don't know where to put my Token

Is this OK to use for usernames and passwords?