Saturday, 17 September 2022

Azure key Vault Access using C#/.Net

 Azure key vault is one of best secure place to dealing with secret exchange through azure cloud storage.

Benefits:

  • Run-time we can update vault values possible.
  • Expiration can be set, Validity for specific key secret possible
  • Versioning for secret is possible.
Let's try to consume Azure key vault using Nuget for C# .net.
Below is the nuget, I've utilized you can refer for the same. versioning can be upgradable/downgrade as per your requirement.
  • Azure.Identity (version 1.6.1)
  • Azure.Security.KeyVault.Secrets (version 4.3.0)


We have to create key vault in azure portal, and in-order to consume secret using tenant/clientid/secret, we have to register app in azure portal, which we need to map with with key-Vault.
App registration:
Once we will create app, it will provide us clientId, and secret, same app need to assign to key vault.
Key vault App registration Mapping:

Key vault Permission grant/access with app registration.


Below code base for helper class:
KKKKK
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using System;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.Configuration;
using System.Linq;
using System.Text;
using System.Threading;
using System.Threading.Tasks;

namespace VaultService
{
    public  class KeyVaultHelper
    {
        private static NameValueCollection appSettings = ConfigurationManager.AppSettings;
        public static string AzureKeyVaultUrl; //=appSettings["AzureKeyVaultUrl"];

        public static string TenantId; //= appSettings["TenentId"];

        public static string ClientId;  //= appSettings["SASClientId"];

        public static string Secrets; //= appSettings["SASClientSecret"];

        public KeyVaultHelper()
        {
            if (appSettings != null &&
                string.IsNullOrWhiteSpace(AzureKeyVaultUrl)
                || string.IsNullOrWhiteSpace(TenantId)
                || string.IsNullOrWhiteSpace(ClientId)
                || string.IsNullOrWhiteSpace(Secrets)
                )
            {
                AzureKeyVaultUrl = appSettings["AzureKeyVaultUrl"];
                TenantId = appSettings["SASTenantId"];
                ClientId = appSettings["SASClientId"];
                Secrets = appSettings["SASClientSecret"];
            }
        }
        
        private static async Task SetEnvVariableToKeyValut()
        {
            AzureKeyVaultUrl = appSettings["AzureKeyVaultUrl"];
            TenantId = appSettings["SASTenantId"];
            ClientId = appSettings["SASClientId"];
            Secrets = appSettings["SASClientSecret"];
            await Task.CompletedTask;
        }


  //GET SECRET CLIENT
        private static async Task<SecretClient> GetSecretClient()
        {
            SecretClientOptions options = new SecretClientOptions()
            {
                Retry =
                    {
                        Delay= TimeSpan.FromSeconds(2),
                        MaxDelay = TimeSpan.FromSeconds(16),
                        MaxRetries = 5,
                        Mode = Azure.Core.RetryMode.Exponential
                    },
            };
            if(string.IsNullOrEmpty(TenantId) || string.IsNullOrEmpty(ClientId) || string.IsNullOrEmpty(Secrets))
            {
                await SetEnvVariableToKeyValut();
            }
            ClientSecretCredential clientSecretCredential = new ClientSecretCredential(TenantId,
                   ClientId, Secrets);
            var secretClient = new SecretClient(new Uri(AzureKeyVaultUrl), clientSecretCredential);
            return await Task.FromResult(secretClient);
        }
        public static async Task<string> GetKeyVaultValueAsync(string key)
        {
            try
            {
                //Get ket valut
                var cancelToken = new CancellationToken();
                SecretClient secretClient = await GetSecretClient();
                KeyVaultSecret keyVaultSecret = await secretClient.GetSecretAsync(key, null, cancelToken);
                return await Task.FromResult(keyVaultSecret?.Value);
            }
            catch (Exception ex)
            {
                return string.Empty;
            }
        }

        public static async Task<bool> SetKeyVaultValueAsync(string key, string value, SecretClient client = null)
        {
            // Create a new secret using the secret client.
            var cancelToken = new CancellationToken();
            try
            {
                if (client == null)
                {
                    client = await GetSecretClient();
                }
                KeyVaultSecret secret = await client.SetSecretAsync(key, value, cancelToken);
                return await Task.FromResult(secret != null ? true : false);
            }
            catch (Exception exx)
            {
                return false;
            }
        }

        public static async Task<bool> DeleteVaultValueAsync(string key, SecretClient client = null)
        {
            // Delete a new secret using the secret client.
            var cancelToken = new CancellationToken();
            try
            {
                if (client == null)
                {
                    client = await GetSecretClient();
                }
                var secret = await client.StartDeleteSecretAsync(key, cancelToken);
                return await Task.FromResult(secret != null ? true : false);
            }
            catch (Exception ex)
            {
                return false;
            }
            
        }

    }
}

Above code snippet use-ful while consuming Key vault. 

Please feel free to connect in-case if you face any challenge, gjinformatic@gmail.com or comment here.

 


at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)