How to securely store and load secrets using Azure Key Vault in .NET Core (using a certificate)

Поділитися
Вставка
  • Опубліковано 26 лис 2024

КОМЕНТАРІ • 71

  • @hemantjain761
    @hemantjain761 4 роки тому +18

    I think this is one of the best video so far on Key Vault. Really appreciate your efforts.
    So basically we can connect key vault using below technique,
    1. Using Manged Identity ( System Designed),.
    2. Using Client Id & Client Secret.
    3. Using Client Id & Certificates.
    All of these needs App Registration to grant access to Key Vault.

    • @NS-nq8ip
      @NS-nq8ip 2 роки тому

      @Hemant Jain, do you know where is the code of this demo kept? Nick didn't reply to my query yet.

  • @AlexanderBelikov
    @AlexanderBelikov Рік тому +1

    Even in 2023 it's still useful! I just integrated a keyvault for the first time a-z myself. I used azure app configuration which has some keys mapped to key vault. So when I pull the configuration I'm getting both plain values and secret values in one shot. Thanks, Nick!

  • @sunnygb1718
    @sunnygb1718 4 роки тому +1

    I have been finding solution for using secret keys for almost 2 days.. This is only solution that i find workable. Thankyou very much...

  • @marcelomatg
    @marcelomatg 4 роки тому +9

    Best key vault tutorial/explanation out there by far! Great job 👏

  • @nickniebling
    @nickniebling 2 роки тому +4

    Great video! I think people using Azure All the way might find it easier with 2 changes:
    1) Use Managed Identity for Auth (skip certificate setup + increase security by making it easier to manage later without deploying new code)
    2) Use Azure App Configuration (and load secrets into Azure App Configuration using KeyVault, to get the additional audit for who accesses those keys specifically) to control config naming limitations in KeyVault in cloud
    With above you will at least get a much simpler composition root - and more cloud control (remember to manage who has access to that).
    I'm still missing the auto secret rotation feature which AWS has (that's really cool), but I guess there is a way to do that with some Azure Automation (just a shame it's not an out of the box feature like in AWS)

  • @agustinustheoo
    @agustinustheoo 3 роки тому +1

    I can't believe that a tutorial like this is free. Fantastic job Nick! Thank you so much.

  • @juanpa_g
    @juanpa_g 2 роки тому

    THIS VIDEO IS ABSOLUTE GOLD.
    Thanks Nick

  • @nagybarnabas3381
    @nagybarnabas3381 3 роки тому +2

    Great tutorial! Maybe use the CN instead of the Thumbprint, so if the Certificate expires you can load a new one without the need to redeploy the application!

  • @facundo91
    @facundo91 4 роки тому +1

    Great video! Nick, please add to the videos the corresponding Microsoft Documentation link.
    Also I hope to see soon a video on how to get the most of Azure Application Insights!!
    I loved your asp.net core Rest API tutorial, learned a lot. Thank you!

  • @FocusAmbientMusic
    @FocusAmbientMusic 3 роки тому

    Thanks Nick for sharing your knowledge. Keep up the good work.

  •  3 роки тому

    Great one! Nick, keep up the good work.

  • @andreibicu5592
    @andreibicu5592 8 місяців тому

    Hi Nick. Great video!
    I managed in the end to make it work both locally and in the cloud. Thanks!
    One question though.
    You said this method is the most secure we could use in Production. What about using a system assigned managed identity ?
    And regarding the Development, what is the preferred way ?
    1. to connect via a service principal and use the certificate locally (I believe it would be difficult, as the certificate has to be shared across devs)
    2. to be given access to the app service (and probably other clients like key vault) and using the DefaultAzureCredential, to let Azure detect the signed in user
    I'm really interested about this topic and I hope others are too, so we get a reply from you!
    Thanks again!

  • @demandt3482
    @demandt3482 10 місяців тому

    Fantastic run-through!

  • @anthony8090
    @anthony8090 3 роки тому

    The best tutorial I have seen, as I know I spent some time figuring out how to do this myself, but there's somethings that are "no bueno" and overcomplicate it.
    First of all, from the Microsoft documentation literally says...
    "Don't use prefixes on key vault secrets to place secrets for multiple apps into the same key vault or to place environmental secrets (for example, development versus production secrets) into the same vault. We recommend that different apps and development/production environments use separate key vaults to isolate app environments for the highest level of security."
    The single keyVault seems problematic and complicates how you access the secrets.
    The prefix is totally unnecessary with the per app/per env vault and eliminates the need entirely for implementing the secret manager. Also, by default, if the names follow the structure of the data in the appsettings, they'll be replaced. Again, making implementing secret manager unnecessary.
    KeyVault Name: FakeConfiguration--Prop1
    Appsettings Field: FakeConfiguration: { Prop1: ???}
    The value from the vault will magically replace it, as they're equivalent. There's literally no need to complicate it unless absolutely necessary.
    Useful documentation I used...
    docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.2#use-application-id-and-x509-certificate-for-non-azure-hosted-apps-1
    docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.2#bind-an-array-to-a-class-1
    oh yeah. If you don't want to load them all during startup, you can also access them individually via the SecretClient
    docs.microsoft.com/en-us/dotnet/api/overview/azure/security.keyvault.secrets-readme-pre

    • @MilesBH
      @MilesBH 3 роки тому

      I also find their recommendation of a prefix confusing when having a per app/per env vault structure, I guess only for versioning?

  • @arashsahami5096
    @arashsahami5096 4 роки тому

    This was a great video and a huge time saver for me. Thank you!

  • @interviewhappy
    @interviewhappy 3 роки тому

    Excellent

  • @nullentrophy
    @nullentrophy 3 роки тому +3

    How about adding keys as Azure app service configuration that will later exposed to app as env variables? What's the downside of this?
    Great content keep it up!

  • @denis-suleimanov
    @denis-suleimanov 3 роки тому

    Hello there!
    Can I ask some questions?
    1) Should we use (I mean by your opinion and recommendation) azure key vault for store DB creds etc?
    2) Did you hear about "git secret"? What do you think about that way?
    3) As I understood, certificate is strongly recommended, but not necessary? Am I right? Can we configure certificate in appSettings.json? I remember smth like that in .Net Framework and web.config times.

    • @nullentrophy
      @nullentrophy 3 роки тому

      github secret is only available inside github actions as far as I know. Its useful for testing purposes inside github.

  • @MorpheusAwoke
    @MorpheusAwoke 4 роки тому

    Great video, Nick.

  • @vvijayar
    @vvijayar 2 роки тому

    Thanks Nick for the wonderful tutorial -
    What certificate should a team purchase when application goes to Prod (since self singed certificate is recommended for Development Environment)
    Thanks

  • @dileepc2700
    @dileepc2700 Рік тому

    Hi, thank you so much for the detailed explanation. My project is in .NET MVC 4.6.2. Do you have any video that explains the same concept for .NET MVC?

  • @kaspertorp5752
    @kaspertorp5752 4 роки тому +3

    so hyped for the azure series!
    any chance of it including eventbus?

    • @nickchapsas
      @nickchapsas  4 роки тому +3

      Sorry do you mean Azure Service Bus or Azure Event Hub?

    • @naveensemwall
      @naveensemwall 4 роки тому

      Please create on Azure logic app and Service Fabric. Thanks.

    • @kaspertorp5752
      @kaspertorp5752 4 роки тому +2

      @@nickchapsas sorry - Service bus is what i meant

  • @CuriousDrive
    @CuriousDrive 4 роки тому +1

    Liked the video even before watching it. Hope you doing well.

  • @sdbhattacharya
    @sdbhattacharya 4 роки тому

    Hi, Iove all your videos. Thanks a lot for sharing your knowledge.
    Can you suggest how to reload when the values are updated in AKV?

  • @AbdulKhalilQureshi
    @AbdulKhalilQureshi 3 роки тому

    Nice explanation , can you confirm if I can use same way to secure Azure function http trigger . I want to access this function from a specific application.

  • @NS-nq8ip
    @NS-nq8ip 2 роки тому

    @Nick Chapsas, you have not implemented this project through managed identity, rather through certificate. But I heard in case of azure Key vault managed identity approach is much better than certificate. Am I correct? Will you please share your thought on my doubt?

  • @Deekudla
    @Deekudla 3 роки тому

    Great tutorial. By the way which editor you are using? It looks different from Visual Studio and VS Code.

    • @nickchapsas
      @nickchapsas  3 роки тому +1

      It’s called JetBrains Rider

  • @patrickwensel9374
    @patrickwensel9374 4 роки тому

    I think you can get openssl from Gti here: C:\Program Files\Git\usr\bin

  • @rb5535
    @rb5535 2 роки тому

    Awesome video but, given that its deprecated how do you configure it in the Program.cs file in Core 6.0 since the Startup file is no longer a thing?

  • @kartikrai1ify
    @kartikrai1ify 3 роки тому

    Could you give a diagrammatic/high-level idea of what exactly are you doing?

  • @williamdavies1977
    @williamdavies1977 4 роки тому

    Well done.

  • @evildaimyo3746
    @evildaimyo3746 3 роки тому

    The best! tnx

  • @davidboorman5435
    @davidboorman5435 3 роки тому

    Hi Nick, great tutorial as always. So I'm using SQL and have DbContext setup and registered in Startup.cs which points to connectionstrings in the appsettings.json. What changes do I need to make in startup.cs for this to work.
    services.AddDbContext(opt => opt.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
    Any help is appreciated!

  • @NS-nq8ip
    @NS-nq8ip 2 роки тому

    @Nick Chapas where is code of this project in your repository? I couldn't find that. Will you please share link of code for this demo project?

  • @sriramvellanki5255
    @sriramvellanki5255 4 роки тому

    Hi Nick, Very well explained this is a good learning. Would you please share the code. In the Github i didn't find this. Thanks in Advance

  • @erayayduran4407
    @erayayduran4407 3 роки тому

    Great tutorial Nick, where can I get the source code? I could not find it in your Github Repositories

    • @nickchapsas
      @nickchapsas  3 роки тому +1

      Check the description.

    • @NS-nq8ip
      @NS-nq8ip 2 роки тому

      ​@@nickchapsas where have you shared source code link in the description?

  • @balvvantsinghbisht3791
    @balvvantsinghbisht3791 2 роки тому

    Hi Nick,
    First of all very good article. It really helped me what i wanted to achieve. I will be greatful to you if you can help me with following queries. I am really stuck at present.
    This way of certificate works on when you host it on windows server or running in windows locally. How we can make it run in Linux server? How we can setup the development env in a mac machine?
    My application is a Service Oriented Architecture. The services are consumed by mobile and web app. So in development env I host the services locally in IIS, so that i can debug service code with mobile/web code. But the certificate is not picked up by the service so it is not be able to connect to the azure key vault.
    A timely response is highly appriciated.
    thanks

  • @iliyan-kulishev
    @iliyan-kulishev 2 роки тому

    I'm just a beginner with regards to understanding https, certificates and storing secrets in .NET. In Azure Portal, when I created the key vault, under /certificates I see that you can just generate one. Is it stupid to do that, download it and the upload for the app registration?

  • @mersy4405
    @mersy4405 2 роки тому

    Hi Nick, I have followed the video and when I deploy I got the error "Could not find certificate with thumbprint 558318C0DB6999F4AD1163A1xxxxxxxx". How can I solve that error.
    Tks for your reply Nick

  • @MS-fd7qw
    @MS-fd7qw 4 роки тому

    It looks like you'll have some additional administration to perform each year, when your certificates expire. Why not use "Identity", and "DefaultAzureCredential()". That way you won't have this problem. You would not even have to use KeyVault, you could just allow your production server access to your DB in AzureAD using RBAC. In development you get a nice single sign-on experience as well, and no passwords anywhere...

    • @nickchapsas
      @nickchapsas  4 роки тому +1

      It is actually not a problem. You can configure the certificate to be updated automatically without anyone manually doing it. I wanted to keep the video generic for anyone that wants to use KeyVault but isn't in Azure

    • @facundo91
      @facundo91 4 роки тому

      Hey M S, what if the Backend API is running on an App Service, but your Frontend API is running on another App Service. Would that still work?

    • @NS-nq8ip
      @NS-nq8ip 2 роки тому

      @@facundo91 have you got your query resolved? if the Backend API is running on an App Service, but your Frontend API is running on another App Service can we adopt automatic uploading of certificate? or there has to be a different approach?

    • @NS-nq8ip
      @NS-nq8ip 2 роки тому

      will any one reply to my query?

  • @ozsharpener
    @ozsharpener 3 роки тому

    That means there is no consistent experience on the config for multiple environments such as local development environment.

  • @sadhufit
    @sadhufit 4 роки тому

    Can we use secret name as APP_ENV in azure key vault. I tried it and it says i cannot use special characters like _

  • @argelpamintuango1956
    @argelpamintuango1956 3 роки тому

    is this applicable to Asp.Net MVC?

  • @kartikrai1ify
    @kartikrai1ify 3 роки тому +1

    Microsoft.extensions.azurekeyvault is deprecated

    • @grumpydeveloper69
      @grumpydeveloper69 3 роки тому +3

      Replaced by: Azure.Extensions.AspNetCore.Configuration.Secrets

  • @asddsa6247
    @asddsa6247 4 роки тому

    Hi Nick,
    I've getting the "Certificate is not installed" exception thrown. Any idea what I could be missing? I've posted a question here" stackoverflow.com/questions/61513887/cannot-find-certificate-azure-net-core-app
    Thanks!

    • @asddsa6247
      @asddsa6247 4 роки тому

      I think I go it. Does the boolean parameter for finding the certificate need to be false? ex. store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);

  • @portlyoldman
    @portlyoldman 3 роки тому

    This crying out for a utility (script?) and a utility library!

  • @turalaliyev1764
    @turalaliyev1764 2 роки тому

    Hello Nick. How can put Token into my Header request in SecretClient? I can take secrets with pure HttpClient. But With Secret Client I don't know where to put my Token

  • @jeffrdrama7984
    @jeffrdrama7984 2 роки тому

    Is this OK to use for usernames and passwords?