- Introduction into managing Application Secrets in Azure App Configuration Service with .NET Core (current post)
- Managing Application Secrets in Azure App Configuration Service with .NET Core Code Walkthrough (next)
Whether you are writing an ASP.NET Core website or a new .NET Core based application that will be run somewhere in the cloud you are almost always confronted with the question of where to reliably and securely store the application secrets.
With the introduction of Microsoft.Extensions.Configuration Microsoft has introduced an extensible configuration model that can be extended by different configuration providers. Those configuration providers by default allow to load application specific settings like
For storing and testing Azure test and production secrets Microsoft recommendation was to use the Azure Key Vault configuration provider. With the key vault provider sensitive information is stored in the highly secure Azure Key Vault service. The approach allows you to combine it with Managed identities for Azure resources to authenticate the app to Azure Key Vault with Azure AD authentication without credentials stored in the application code. KeyVault though does not provide higher level functionality like
- Managing and distributing of hierarchical configuration data for different environments and geographies
- Dynamic configuration changes without redeploying or restarting an application
- Feature management
If such functionality was desired it had to be built with custom infrastructure on top of KeyVault. With the recently introduced App Configuration Service in Azure (currently in preview) these days are over! The service offers the following benefits:
- A fully managed service that can be set up in minutes.
- Flexible key representations and mappings.
- Tagging with labels.
Point-in-timereplay of settings.
- Comparison of two sets of configurations on custom-defined dimensions.
- Enhanced security through Azure-managed identities.
- Complete data encryptions, at rest or in transit.
- Native integration with popular frameworks.
In the next installment I will walk through a .NET Core application using the Generic Host leveraging the App Configuration service to manage and dynamically reload secrets.
(1) You don’t have to search to far to find an example. A pull request that contains code reading Environment variables within a unit test automatically executed by a build environment might already be enough.