Securing sensitive information such as connection strings, API keys, certificates, and authentication secrets is a critical requirement in modern cloud-native applications. Hardcoding secrets in source code or storing them in configuration files increases the risk of data breaches and compliance violations. Azure Key Vault provides a secure, centralized solution for managing secrets, encryption keys, and certificates in Microsoft Azure environments. Proper integration with ASP.NET Core and Azure services ensures enterprise-grade security and operational compliance.
This article explains how to securely store secrets in Azure Key Vault, configure access control, integrate with ASP.NET Core applications, and follow security best practices for production environments.
What Is Azure Key Vault?
Azure Key Vault is a cloud service that securely stores:
It provides hardware security module (HSM)-backed protection, access control via Azure Active Directory, audit logging, and automatic secret versioning.
Using Azure Key Vault eliminates the need to store sensitive configuration data in appsettings.json or environment variables.
Step 1: Create an Azure Key Vault
In the Azure Portal:
Navigate to Azure Key Vault.
Click Create.
Provide subscription, resource group, and vault name.
Select region and pricing tier.
Enable soft delete and purge protection.
After creation, the Key Vault becomes available for secret storage.
Step 2: Add a Secret to Azure Key Vault
Inside the Key Vault:
Go to Secrets.
Click Generate/Import.
Enter secret name and value.
Click Create.
Example secret:
Azure automatically manages secret versions.
Step 3: Configure Access Control Using Azure RBAC or Access Policies
To allow an ASP.NET Core application to access Key Vault, assign permissions.
Option 1: Use Role-Based Access Control (Recommended)
Assign the role:
Option 2: Use Access Policies
Grant permissions such as:
Access control is managed through Microsoft Entra ID (Azure AD).
Step 4: Enable Managed Identity for ASP.NET Core Application
If hosting in Azure App Service:
Enable System-Assigned Managed Identity.
Assign Key Vault access role to the managed identity.
Managed Identity removes the need to store service credentials in configuration files.
Step 5: Install Required NuGet Packages
Install:
Step 6: Integrate Azure Key Vault in ASP.NET Core
Update Program.cs:
using Azure.Identity;
var builder = WebApplication.CreateBuilder(args);
builder.Configuration.AddAzureKeyVault(
new Uri("https://your-keyvault-name.vault.azure.net/"),
new DefaultAzureCredential());
var app = builder.Build();
app.MapGet("/config", (IConfiguration config) =>
{
var connectionString = config["DbConnectionString"];
return Results.Ok(connectionString);
});
app.Run();
DefaultAzureCredential automatically authenticates using Managed Identity in production and local credentials during development.
Using Secrets in appsettings Configuration
After integration, you can reference secrets like regular configuration values:
var connectionString = builder.Configuration["DbConnectionString"];
No sensitive data is stored in source control.
Security Best Practices
Enable soft delete and purge protection
Use Managed Identity instead of client secrets
Restrict network access using private endpoints
Rotate secrets regularly
Monitor access logs and audit events
Avoid granting excessive permissions
Proper governance ensures secure secret lifecycle management.
Common Mistakes to Avoid
Hardcoding Key Vault credentials
Storing secrets in plain text configuration
Not enabling access control policies
Ignoring secret rotation strategy
Over-permissioning service identities
Secure configuration management reduces risk in cloud deployments.
Summary
Storing secrets securely in Azure Key Vault ensures centralized, encrypted management of sensitive data such as API keys, connection strings, and certificates. By creating a Key Vault, configuring access control through Azure RBAC or access policies, enabling Managed Identity, and integrating Azure Key Vault with ASP.NET Core using DefaultAzureCredential, developers can eliminate hardcoded secrets and enhance application security. Following best practices such as secret rotation, least-privilege access, network restrictions, and audit monitoring helps build secure, compliant, and enterprise-ready cloud applications.