Azure key vault is one of best secure place to dealing with secret exchange through azure cloud storage.
Benefits:
- Run-time we can update vault values possible.
- Expiration can be set, Validity for specific key secret possible
- Versioning for secret is possible.
Let's try to consume Azure key vault using Nuget for C# .net.
Below is the nuget, I've utilized you can refer for the same. versioning can be upgradable/downgrade as per your requirement.
- Azure.Identity (version 1.6.1)
- Azure.Security.KeyVault.Secrets (version 4.3.0)
We have to create key vault in azure portal, and in-order to consume secret using tenant/clientid/secret, we have to register app in azure portal, which we need to map with with key-Vault.
App registration:
Key vault App registration Mapping:
Key vault Permission grant/access with app registration.
using Azure.Identity;using Azure.Security.KeyVault.Secrets;using System;using System.Collections.Generic;using System.Collections.Specialized;using System.Configuration;using System.Linq;using System.Text;using System.Threading;using System.Threading.Tasks;namespace VaultService{public class KeyVaultHelper{private static NameValueCollection appSettings = ConfigurationManager.AppSettings;public static string AzureKeyVaultUrl; //=appSettings["AzureKeyVaultUrl"];public static string TenantId; //= appSettings["TenentId"];public static string ClientId; //= appSettings["SASClientId"];public static string Secrets; //= appSettings["SASClientSecret"];public KeyVaultHelper(){if (appSettings != null &&string.IsNullOrWhiteSpace(AzureKeyVaultUrl)|| string.IsNullOrWhiteSpace(TenantId)|| string.IsNullOrWhiteSpace(ClientId)|| string.IsNullOrWhiteSpace(Secrets)){AzureKeyVaultUrl = appSettings["AzureKeyVaultUrl"];TenantId = appSettings["SASTenantId"];ClientId = appSettings["SASClientId"];Secrets = appSettings["SASClientSecret"];}}private static async Task SetEnvVariableToKeyValut(){AzureKeyVaultUrl = appSettings["AzureKeyVaultUrl"];TenantId = appSettings["SASTenantId"];ClientId = appSettings["SASClientId"];Secrets = appSettings["SASClientSecret"];await Task.CompletedTask;}
//GET SECRET CLIENT
private static async Task<SecretClient> GetSecretClient(){SecretClientOptions options = new SecretClientOptions(){Retry ={Delay= TimeSpan.FromSeconds(2),MaxDelay = TimeSpan.FromSeconds(16),MaxRetries = 5,Mode = Azure.Core.RetryMode.Exponential},};if(string.IsNullOrEmpty(TenantId) || string.IsNullOrEmpty(ClientId) || string.IsNullOrEmpty(Secrets)){await SetEnvVariableToKeyValut();}ClientSecretCredential clientSecretCredential = new ClientSecretCredential(TenantId,ClientId, Secrets);var secretClient = new SecretClient(new Uri(AzureKeyVaultUrl), clientSecretCredential);return await Task.FromResult(secretClient);}public static async Task<string> GetKeyVaultValueAsync(string key){try{//Get ket valutvar cancelToken = new CancellationToken();SecretClient secretClient = await GetSecretClient();KeyVaultSecret keyVaultSecret = await secretClient.GetSecretAsync(key, null, cancelToken);return await Task.FromResult(keyVaultSecret?.Value);}catch (Exception ex){return string.Empty;}}public static async Task<bool> SetKeyVaultValueAsync(string key, string value, SecretClient client = null){// Create a new secret using the secret client.var cancelToken = new CancellationToken();try{if (client == null){client = await GetSecretClient();}KeyVaultSecret secret = await client.SetSecretAsync(key, value, cancelToken);return await Task.FromResult(secret != null ? true : false);}catch (Exception exx){return false;}}public static async Task<bool> DeleteVaultValueAsync(string key, SecretClient client = null){// Delete a new secret using the secret client.var cancelToken = new CancellationToken();try{if (client == null){client = await GetSecretClient();}var secret = await client.StartDeleteSecretAsync(key, cancelToken);return await Task.FromResult(secret != null ? true : false);}catch (Exception ex){return false;}}}}
Above code snippet use-ful while consuming Key vault.
Please feel free to connect in-case if you face any challenge, gjinformatic@gmail.com or comment here.
