Security  

Securing Secrets in Web Apps Using Azure Key Vault and AWS Secrets Manager

Introduction

In modern web applications, protecting sensitive information like database credentials, API keys, connection strings, and encryption secrets is a critical part of application security. Hardcoding secrets in configuration files or storing them in source control (like GitHub) can lead to data breaches and compliance violations.

This article explores how to secure secrets in web apps using Azure Key Vault and AWS Secrets Manager, focusing on best practices, implementation steps, and integration with ASP.NET Core and Angular-based enterprise solutions.

Why Secure Secrets?

Before diving into tools, it’s essential to understand what counts as a “secret” and why securing them matters.

Common secrets include:

  • Database connection strings

  • API tokens (e.g., Stripe, Google, OpenAI)

  • Encryption keys and certificates

  • OAuth credentials

  • Cloud service access keys

Risks of unsecured secrets:

  • Unauthorized data access

  • Service disruption or manipulation

  • Financial losses due to leaked cloud credentials

  • Non-compliance with standards (GDPR, HIPAA, ISO 27001)

Overview of Secret Management

Secret management involves securely storing, accessing, rotating, and auditing secrets throughout an application’s lifecycle.

A secure secret management solution should provide:

  • Encryption at rest and in transit

  • Access control policies

  • Automated secret rotation

  • Audit logging

  • Integration with cloud services and applications

Azure Key Vault Overview

Azure Key Vault is a Microsoft Azure service for securely managing secrets, certificates, and encryption keys. It integrates seamlessly with Azure Active Directory (AAD) and ASP.NET Core applications.

Key Features

  • Secure storage of secrets and certificates

  • Access control via Azure Role-Based Access Control (RBAC)

  • Versioning and rotation

  • Centralized secret lifecycle management

Technical Workflow (Azure Key Vault Integration)

Flowchart: Secret Retrieval in ASP.NET Core via Azure Key Vault

[Web App Startup]
       ↓
[Authenticate via Managed Identity]
       ↓
[Request Secret from Azure Key Vault]
       ↓
[Retrieve Encrypted Secret]
       ↓
[Decrypt & Inject into Configuration]
       ↓
[Use Secret in Application Code]

Implementing Azure Key Vault in ASP.NET Core

Step 1: Enable Managed Identity (Azure App Service)
In Azure Portal:

  • Navigate to your App Service → Identity → System Assigned → On

Step 2: Create a Key Vault and Add Secrets

az keyvault create --name MyAppKeyVault --resource-group MyRG --location eastus
az keyvault secret set --vault-name MyAppKeyVault --name "DbConnectionString" --value "Server=...;Database=..."

Step 3: Assign Access Policy to the App Service

az keyvault set-policy --name MyAppKeyVault --spn <AppIdentityClientId> --secret-permissions get list

Step 4: Integrate Key Vault in ASP.NET Core
In your Program.cs or Startup.cs:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

var builder = WebApplication.CreateBuilder(args);

var keyVaultName = builder.Configuration["KeyVaultName"];
var kvUri = $"https://{keyVaultName}.vault.azure.net/";

builder.Configuration.AddAzureKeyVault(new Uri(kvUri), new DefaultAzureCredential());

var app = builder.Build();

var secretValue = builder.Configuration["DbConnectionString"];
Console.WriteLine($"Database Connection: {secretValue}");

Step 5: Access Secrets Securely in Code
You can now use secrets via IConfiguration without exposing them in appsettings.json.

AWS Secrets Manager Overview

AWS Secrets Manager serves a similar purpose for applications hosted on Amazon Web Services. It helps store, rotate, and manage access to sensitive information securely.

Key Features

  • Fine-grained access control via AWS IAM policies

  • Automatic secret rotation using AWS Lambda

  • Encryption using AWS KMS (Key Management Service)

  • SDK integration for multiple platforms (.NET, Node.js, Python, etc.)

Technical Workflow (AWS Secrets Manager Integration)

Flowchart: Secret Retrieval in ASP.NET Core via AWS Secrets Manager

[Application Startup]
       ↓
[AWS SDK Authenticates via IAM Role]
       ↓
[Request Secret from Secrets Manager]
       ↓
[Decrypt Secret using KMS]
       ↓
[Inject into Configuration or Environment Variables]
       ↓
[Use in Application Code]

Implementing AWS Secrets Manager in ASP.NET Core

Step 1: Store Secret in Secrets Manager

aws secretsmanager create-secret --name MyAppSecret \
    --secret-string '{"DbConnection":"Server=...;Database=...;"}'

Step 2: Assign IAM Role to Application (e.g., EC2, Lambda, ECS)

Step 3: Retrieve Secrets in ASP.NET Core

Install required package:

dotnet add package AWSSDK.SecretsManager

Code Example

using Amazon;
using Amazon.SecretsManager;
using Amazon.SecretsManager.Model;
using System.Text.Json;

public class AwsSecretService
{
    private readonly IAmazonSecretsManager _secretsManager;

    public AwsSecretService()
    {
        _secretsManager = new AmazonSecretsManagerClient(RegionEndpoint.USEast1);
    }

    public async Task<string> GetSecretAsync(string secretName)
    {
        var response = await _secretsManager.GetSecretValueAsync(new GetSecretValueRequest
        {
            SecretId = secretName
        });

        var secret = JsonSerializer.Deserialize<Dictionary<string, string>>(response.SecretString);
        return secret["DbConnection"];
    }
}

Integration with Angular Frontend

Although secrets should never be stored in frontend code, you can securely fetch tokens or configurations via your ASP.NET Core API.

Example secure configuration endpoint:

[Authorize]
[ApiController]
[Route("api/config")]
public class ConfigController : ControllerBase
{
    private readonly IConfiguration _config;
    public ConfigController(IConfiguration config) => _config = config;

    [HttpGet("secure")]
    public IActionResult GetConfig() => Ok(new { apiUrl = _config["SecureApiUrl"] });
}

Angular will consume this API using an authorized HTTP call instead of exposing keys directly.

Best Practices for Secret Management

  1. Never hardcode secrets in code or configuration files.

  2. Use Managed Identities or IAM roles for access instead of static credentials.

  3. Enable audit logging to monitor secret access patterns.

  4. Regularly rotate secrets to reduce exposure risk.

  5. Encrypt all traffic using HTTPS/TLS 1.2+.

  6. Implement least privilege access via RBAC/IAM.

  7. Use environment variables in CI/CD pipelines instead of embedding secrets.

CI/CD Integration Example (Azure DevOps / Jenkins)

During deployment, secrets can be injected dynamically using environment variables or configuration transforms.

Example (Azure DevOps YAML)

variables:
  - group: KeyVaultSecrets

steps:
  - task: AzureKeyVault@2
    inputs:
      azureSubscription: 'MyAzureConnection'
      KeyVaultName: 'MyAppKeyVault'
      SecretsFilter: '*'

The secrets retrieved from Key Vault are automatically injected into the pipeline runtime for your .NET deployment process.

Conclusion

Securing secrets is one of the foundational steps in protecting enterprise web applications. With Azure Key Vault and AWS Secrets Manager, developers can eliminate hardcoded credentials, automate secret rotation, and maintain compliance across distributed systems.

By integrating these services into your ASP.NET Core backend and Angular frontend, you create a robust, scalable, and secure foundation for cloud-based web applications.

In essence, proper secret management is not an option — it’s a necessity for building modern, secure, and compliant digital solutions.

Membership not found