Easily Read Key Vault Secrets From ASP.NET Core Web API Application


Azure Key Vault is a tool for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A vault is a logical group of secrets.
You can refer to the below Microsoft document for more details.


Azure portal access, Visual Studio 2019 or Visual Studio Code
Along with Azure Key Vault, we need an Azure App Registration in Azure Active Directory to access Key Vault secrets. Let’s create App registration first.

Create App Registration in Azure Active Directory

Open Azure portal and click Azure Active Directory blade and click “App registrations” tab.
Click “New registration” tab to create new app registration.
We can give a valid name to app registration and click Register button to proceed.

Please copy the Application ID (Client ID) to any secure place. We will use this ID in our Web API application later.
We can create a client secret in this app registration. Click “Certificates & secrets” tab.
Click “New client secret” button to create a new client secret.
We can give any description and create client secret.
Please copy the above secret key and keep it in any secure place. We will use this value also in Web API applications.
We have successfully completed the app registration part and copied the required values like client id and client secret value. We can create the Azure Key Vault now

Create Azure Key Vault and Secret Value

Click create new resource button and choose “Key Vault”
Click “create” button
We can choose existing resource group or create new resource group. Please give a valid name to key vault. Also choose appropriate region. I have kept all other fields as default. If you want to modify, you can do it carefully.
Please click “Review + create” button. Your Key Vault will be deployed in a few moments.
There are three types of Key vaults available. Keys, Secrets, and Certificates. In this article, we will see Secrets only.
We can click “Secrets” to create a new secret key and value pair.
Click “Generate/Import” button to create new secret pair.
We can give a name and value to the secret.
Click “Create” button to create secret value pair.
We can grant access policies of this Key Vault to app registration, which we have created already.
Click “Access policies” tab to proceed.
Click “+ Add Access Policy”
Choose secret permissions and choose Get, List, Set, and Delete.
Select principal and search for our app registration name. We have already created an app registration. Select it and click “Add” button.
We can see the selected app registration with secret permissions from Key Vault. We can save the permissions.
We have successfully created Azure Key Vault and Secret key value pairs. We can create a Web application and consume these details and get secret value from Key Vault.

Create Web API Core application in Visual Studio 2019

We can create a simple Web API application with ASP.NET Core template.
Modify the appsettings.json with the below values.
We can install “Microsoft.Extensions.Configuration.AzureKeyVault” NuGet package to the project.
We can modify the “CreateHostBuilder “method in Program.cs file.
  1. using Microsoft.AspNetCore.Hosting;  
  2. using Microsoft.Extensions.Configuration;  
  3. using Microsoft.Extensions.Hosting;  
  5. namespace AzureKeyVaultSecret  
  6. {  
  7.     public class Program  
  8.     {  
  9.         public static void Main(string[] args)  
  10.         {  
  11.             CreateHostBuilder(args).Build().Run();  
  12.         }  
  14.         public static IHostBuilder CreateHostBuilder(string[] args) =>  
  15.            Host.CreateDefaultBuilder(args)  
  16.             .ConfigureAppConfiguration((context, config) =>  
  17.             {  
  19.                 var root = config.Build();  
  20.                 config.AddAzureKeyVault($"https://{root["KeyVault:Vault"]}.vault.azure.net/", root["KeyVault:ClientId"], root["KeyVault:ClientSecret"]);  
  21.             })  
  22.             .ConfigureWebHostDefaults(webBuilder =>  
  23.             {  
  24.                 webBuilder.UseStartup<Startup>();  
  25.             });  
  26.     }  
  27. }  
We can create a new API controller “ValuesController” under Controllers folder.
Modify the default code with the below code.
  1. using Microsoft.AspNetCore.Mvc;  
  2. using Microsoft.Extensions.Configuration;  
  4. namespace AzureKeyVaultSecret.Controllers  
  5. {  
  6.     [Route("api/[controller]")]  
  7.     public class ValuesController : Controller  
  8.     {  
  9.         private readonly IConfiguration _configuration;  
  11.         public ValuesController(IConfiguration configuration)  
  12.         {  
  13.             _configuration = configuration;  
  14.         }  
  16.         [HttpGet]  
  17.         public string Get()  
  18.         {  
  19.             var value = _configuration["sarathsecret"];  
  20.             return "Value for Secret [sarathsecret] is : " + value;  
  21.         }  
  22.     }  
  23. }  
We can run the application and execute the below end point.
You will get the below value in the screen.
We have successfully retrieved the value for Key Vault Secret into the Web API application.


In this post, we have created an app registration and also created a client secret for app registration. We have created a Key Vault with Secret and granted access permissions to app registration. Later we have created a ASP.NET Core Web API and fetched the secret value from Key Vault using Client Id and Client secret key.