Modern applications often need to manage sensitive secrets like database connection strings, API keys, and encryption keys. Storing these secrets in appsettings.json or hardcoding them into the source code is a huge security risk.
Cloud providers like Azure and AWS offer secure vaults—Azure Key Vault and AWS Key Management Service (KMS)—to centrally manage and protect secrets, keys, and certificates.
This article shows how to integrate Azure Key Vault and AWS KMS into your ASP.NET Core applications for secure secret management.
Why Use a Secret Manager?
Centralized Secret Storage – Keep all secrets in one secure place.
Key Rotation – Rotate encryption keys without changing code.
Access Control – Fine-grained access policies using managed identities/IAM.
Auditing & Logging – Monitor secret usage for compliance.
No Hardcoding—Prevent leaks from config files or source control.
Option 1. Using Azure Key Vault in ASP.NET Core
Azure Key Vault securely stores secrets, certificates, and encryption keys.
1. Add NuGet packages
dotnet add package Azure.Identity
dotnet add package Azure.Security.KeyVault.Secrets
2. Configure Key Vault in Program.cs
using Azure.Identity;
var builder = WebApplication.CreateBuilder(args);
var keyVaultName = builder.Configuration["KeyVaultName"];
var kvUri = new Uri($"https://{keyVaultName}.vault.azure.net/");
builder.Configuration.AddAzureKeyVault(kvUri, new DefaultAzureCredential());
// Add services
builder.Services.AddControllers();
var app = builder.Build();
app.MapControllers();
app.Run();
Note: DefaultAzureCredential automatically tries different authentication methods (Managed Identity, Visual Studio login, CLI credentials). In production, you should prefer Managed Identity.
3. Access Secrets
var secretValue = builder.Configuration["MyApp-DbConnection"];
Console.WriteLine($"DB Connection: {secretValue}");
4. Store Secrets in Key Vault
az keyvault secret set --vault-name "<YourKeyVaultName>" --name "MyApp-DbConnection" --value "<YourConnectionString>"
Now your app reads the secret securely from Key Vault instead of appsettings.json.
Option 2. Using AWS KMS and Secrets Manager in ASP.NET Core
AWS offers KMS for key management and Secrets Manager for secure storage. In most .NET Core apps, you’ll combine both.
1. Add NuGet packages
dotnet add package AWSSDK.SecretsManager
dotnet add package AWSSDK.Extensions.NETCore.Setup
2. Configure AWS in Program.cs
using Amazon;
using Amazon.SecretsManager;
using Amazon.SecretsManager.Model;
var builder = WebApplication.CreateBuilder(args);
// Add AWS services with credentials from environment/IAM role
builder.Services.AddDefaultAWSOptions(builder.Configuration.GetAWSOptions());
builder.Services.AddAWSService<IAmazonSecretsManager>();
builder.Services.AddControllers();
var app = builder.Build();
app.MapControllers();
app.Run();
3. Fetch Secrets from AWS Secrets Manager
public class AwsSecretService
{
private readonly IAmazonSecretsManager _secretsManager;
public AwsSecretService(IAmazonSecretsManager secretsManager)
{
_secretsManager = secretsManager;
}
public async Task<string> GetSecretAsync(string secretName)
{
var request = new GetSecretValueRequest
{
SecretId = secretName
};
var response = await _secretsManager.GetSecretValueAsync(request);
return response.SecretString;
}
}
4. Store a Secret in AWS
aws secretsmanager create-secret \
--name MyApp-DbConnection \
--secret-string "<YourConnectionString>"
Your app can now fetch the connection string securely at runtime.
Azure Key Vault vs AWS KMS/Secrets Manager
| Feature | Azure Key Vault | AWS KMS + Secrets Manager |
|---|
| Secret Storage | Secrets, Certificates, Keys | Secrets Manager (for secrets) |
| Key Management | Built-in (keys + HSM-backed) | KMS (HSM-backed) |
| Access Control | Azure AD + RBAC | AWS IAM Policies |
| Key Rotation | Supported (automatic/manual) | Supported (automatic/manual) |
| Integration | Azure services (App Service, Functions) | AWS services (EC2, Lambda, ECS) |
| SDK for .NET | Azure.Security.KeyVault.* | AWSSDK.SecretsManager, KMS |
Best Practices
Use Managed Identities (Azure) or IAM Roles (AWS) – avoid embedding credentials.
Rotate secrets and keys regularly.
Limit access with least privilege.
Enable auditing and logging for compliance.
Cache secrets temporarily to avoid throttling API calls.
Conclusion
Integrating Azure Key Vault or AWS KMS + Secrets Manager with ASP.NET Core allows you to build secure, cloud-native applications. Instead of relying on insecure configuration files, your secrets are stored in hardened, auditable vaults with built-in rotation and access control.
For Azure-first apps, Azure Key Vault integrates seamlessly with ASP.NET Core. For AWS workloads, KMS + Secrets Manager is the recommended choice. Both approaches provide robust security, regulatory compliance, and operational simplicity.