Introduction
This article gives a walkthrough on how to take an existing ASP.NET application running in Azure App Service, and without touching the C# code, configure it in a way that it will retrieve its sensitive configuration values from a Key Vault instead of its Web.config or App.Config file.
The way how the application reads the configuration, e.g. ConfigurationManager.AppSettings["MyDatabaseConnectionString"] today, that value would come directly from a secret in Key Vault, all without modifying anything in the actual source code of your app.
This is also without storing the Key Vault connection string or credentials in your application configuration file and makes it very easily redeployable across environments.
Framework and Configuration Builder
This guideline is for an ASP.NET project targeting .NET Framework 4.7.1 or later and Configuration Builders which are only available in recent versions of the framework.
Configuration builders in ASP.NET provide a way to modify and/or override the values coming from your configuration files (Web.config in the case of ASP.NET) by using different sources (environment variables, Key Vault, etc.). This means that you can store your config values in other places than those files without modifying the parts of your application that are dependent on those values.
Implementation Steps
- Add secrets to the Key Vault: Add the secrets to the Key Vault and It’s important that the secrets must have the same name as the app settings you would like to replace with them. So, for example, if you have an app setting with the key MyDatabaseConnectionString in your
Web.config file, you must create a secret with the same name and the relevant value in Key Vault.
Steps to create Key Vault
- Give access to your Web App to the secrets stored in Key Vault. The recommended approach is to use Web App’s managed identity feature. This feature will provide a Web App with its own identity in Azure Active Directory and the application will be able to authenticate with Key Vault using that identity. The benefit of this is that the only information that is needed to pass to the application is the name of the Key Vault instance to connect to.
a. Enable System Managed Identity on the Web App:
b. Grant access to the web app on the Key Vault with relevant permissions
-
Go to your Key Vault and navigate to Access Policies in the left navigation:
-
Select the required permissions. In this case, we need to Get and List secret permissions. Select Principal and search for the web application to be granted access. Click add and then save access.
Visual Studio and Azure Key Vault as Connected Service: Right click the project in the solution and add Key Vault as a connected service to it. This will add a following of NuGet packages to your project:
Microsoft.Azure.KeyVault
Microsoft.Azure.KeyVault.WebKey
Microsoft.Azure.Services.AppAuthentication
Microsoft.Configuration.ConfigurationBuilders.Azure
Microsoft.Configuration.ConfigurationBuilders.Base
Microsoft.IdentityModel.Clients.ActiveDirectory
Microsoft.Rest.ClientRuntime
Microsoft.Rest.ClientRuntime.Azure
Note
For Azure Web Jobs project types, where Azure Key Vault Connected Service is not available, the above NuGet Packages can be added directly. Also added is a configuration builder - point to the Key Vault instance chosen during the setup in Web.config or App.config file. Next, remove the vaultUri attribute of the freshly added Key Vault builder.
Then replace the AppSettings and Connection String tag in your Web.config with this:
Locally Debugging Steps
Login to Visual Studio with your Azure Account, which needs to be added to Key Vault, exactly the same way we add the Web App service principal earlier.
After this, whenever we debug our application locally, it will authenticate against Key Vault using our own Azure account and our app will be able to access the secrets just like when it is running on App Service.
Deployment using Azure DevOps
As we deploy our application on multiple environments (Dev, QA, Prod..), we need to ensure the Key Vault Name relevant to the environment is added in the below configurations
We can use some XML transformation as part of our CD pipeline to replace the name of the Key Vault before each deployment, but below is a simple solution to this is to
ensure the NuGet package 'Microsoft.Configuration.ConfigurationBuilders.Azure' is upgraded to 2.0.0.0
In the configBuilders node, replace the vaultName value with '${Key_Vault_Name}' (this can be any name)
Add an app setting with the same name as below:
Replace this App Setting value in your CD pipeline using Azure DevOps Variables with the respective environment Key Vault Name.