Securing .NET/ASP.NET Core Apps with Azure Key Vault Middleware

Introduction

Securing secrets in a .NET/ASP.NET Core application using Azure Key Vault is crucial for protecting sensitive information like API keys, connection strings, and other configurations. In this example, we'll walk through creating an ASP.NET Core application that leverages Azure Key Vault to store and retrieve secrets. We'll also implement custom middleware for secure secret retrieval in real-time.

Prerequisites

1. Visual Studio or Visual Studio Code
2. Azure subscription
3. .NET SDK installed (at least .NET 5)
4. Azure Key Vault was created and configured

Step 1. Create an Azure Key Vault

1. Go to the Azure Portal (https://portal.azure.com).
2. Click on "+ Create a resource" and search for "Key Vault."
3. Create a new Key Vault and configure access policies as needed.
4. Step 2: Create an ASP.NET Core Application

Step 2. Open Visual Studio or Visual Studio Code

Create a new ASP.NET Core application with the following command.

dotnet new webapp -n SecretStorageApp

Step 3. Add Required NuGet Packages

In your project, you'll need to add the following NuGet packages:

dotnet add package Azure.Identity
dotnet add package Azure.Extensions.AspNetCore.Configuration.Secrets

Step 4. Configure Azure Key Vault Access

In the appsettings.json file, add a section for Azure Key Vault configuration. Replace YourKeyVaultName and YourAzureClientId with your actual Key Vault name and Azure AD Application Client ID.

Author: Sardar Mudassar Ali Khan
{
  "AzureKeyVault": {
    "VaultName": "YourKeyVaultName",
    "ClientId": "YourAzureClientId"
  },
}

Step 5. Configure Azure Key Vault Access in Startup.cs

In your Startup.cs, configure the application to use Azure Key Vault as a configuration provider. Also, add a custom middleware to retrieve secrets.

using Azure.Identity;
using Azure.Extensions.AspNetCore.Configuration.Secrets;

Author: Sardar Mudassar Ali khan
public void ConfigureServices(IServiceCollection services)
{
    
    services.AddAzureAppConfiguration(Configuration["AzureKeyVault:VaultName"])
        .AddAzureKeyVault(new DefaultAzureCredential());
 
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{

    app.UseMiddleware<SecretMiddleware>();

}

Step 6. Implement the Custom Middleware

Create a custom middleware called SecretMiddleware.cs.

using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Configuration;
using System.Threading.Tasks;

Author: Sardar Mudassar Ali khan
public class SecretMiddleware
{
    private readonly RequestDelegate _next;
    private readonly IConfiguration _configuration;

    public SecretMiddleware(RequestDelegate next, IConfiguration configuration)
    {
        _next = next;
        _configuration = configuration;
    }

    public async Task InvokeAsync(HttpContext context)
    {
        var secretValue = _configuration["MySecretKey"]; // Replace with your secret key

        await context.Response.WriteAsync($"Secret Value: {secretValue}");
    }
}

Step 7. Use Secrets in Your Application

You can now use the retrieved secrets (MySecretKey in this example) as needed within your application.

Step 8. Run Your Application

Run your ASP.NET Core application:

dotnet run

Your application should now be using Azure Key Vault to securely retrieve secrets in real time using the custom middleware.

Remember to manage your secrets and access control in Azure Key Vault to maintain a secure and compliant application.

Conclusion

Securing secrets in .NET/ASP.NET Core applications using Azure Key Vault is a fundamental practice to protect sensitive information. This example demonstrated how to achieve this through a step-by-step process:

1. Create an Azure Key Vault: Set up a Key Vault in the Azure portal, configuring access policies as needed to ensure security.
2. Create an ASP.NET Core Application: Start by creating a new ASP.NET Core application using Visual Studio or Visual Studio Code.
3. Add Required NuGet Packages: Install the necessary NuGet packages, including Azure. Identity and Azure.Extensions.AspNetCore.Configuration.Secrets.
4. Configure Azure Key Vault Access: In the appsettings.json file, define Azure Key Vault configuration details, such as the vault name and Azure AD Client ID.
5. Configure Azure Key Vault Access in Startup.cs: In your application's Startup. cs, set up Azure Key Vault as a configuration provider using the Azure SDK. Additionally, add a custom middleware to retrieve secrets in real-time.
6. Implement Custom Middleware: Create a custom middleware, like SecretMiddleware, to fetch and use secrets from Azure Key Vault within your application.
7. Use Secrets in Your Application: You can now use the retrieved secrets securely in your application code, such as API keys or connection strings.
8. Run Your Application: Finally, run your ASP.NET Core application to see it in action. It will securely retrieve and use secrets from Azure Key Vault.

Remember that the security of your application relies on managing access control and secrets within Azure Key Vault. This example provides a foundation for implementing secret management in ASP.NET Core, and you can extend it to suit your specific needs and incorporate additional security measures as required. Always follow best practices for securing secrets and maintain compliance with your organization's security policies.