I think this is one of the best video so far on Key Vault. Really appreciate your efforts. So basically we can connect key vault using below technique, 1. Using Manged Identity ( System Designed),. 2. Using Client Id & Client Secret. 3. Using Client Id & Certificates. All of these needs App Registration to grant access to Key Vault.
Even in 2023 it's still useful! I just integrated a keyvault for the first time a-z myself. I used azure app configuration which has some keys mapped to key vault. So when I pull the configuration I'm getting both plain values and secret values in one shot. Thanks, Nick!
Great video! I think people using Azure All the way might find it easier with 2 changes: 1) Use Managed Identity for Auth (skip certificate setup + increase security by making it easier to manage later without deploying new code) 2) Use Azure App Configuration (and load secrets into Azure App Configuration using KeyVault, to get the additional audit for who accesses those keys specifically) to control config naming limitations in KeyVault in cloud With above you will at least get a much simpler composition root - and more cloud control (remember to manage who has access to that). I'm still missing the auto secret rotation feature which AWS has (that's really cool), but I guess there is a way to do that with some Azure Automation (just a shame it's not an out of the box feature like in AWS)
Great tutorial! Maybe use the CN instead of the Thumbprint, so if the Certificate expires you can load a new one without the need to redeploy the application!
Great video! Nick, please add to the videos the corresponding Microsoft Documentation link. Also I hope to see soon a video on how to get the most of Azure Application Insights!! I loved your asp.net core Rest API tutorial, learned a lot. Thank you!
Hi Nick. Great video! I managed in the end to make it work both locally and in the cloud. Thanks! One question though. You said this method is the most secure we could use in Production. What about using a system assigned managed identity ? And regarding the Development, what is the preferred way ? 1. to connect via a service principal and use the certificate locally (I believe it would be difficult, as the certificate has to be shared across devs) 2. to be given access to the app service (and probably other clients like key vault) and using the DefaultAzureCredential, to let Azure detect the signed in user I'm really interested about this topic and I hope others are too, so we get a reply from you! Thanks again!
The best tutorial I have seen, as I know I spent some time figuring out how to do this myself, but there's somethings that are "no bueno" and overcomplicate it. First of all, from the Microsoft documentation literally says... "Don't use prefixes on key vault secrets to place secrets for multiple apps into the same key vault or to place environmental secrets (for example, development versus production secrets) into the same vault. We recommend that different apps and development/production environments use separate key vaults to isolate app environments for the highest level of security." The single keyVault seems problematic and complicates how you access the secrets. The prefix is totally unnecessary with the per app/per env vault and eliminates the need entirely for implementing the secret manager. Also, by default, if the names follow the structure of the data in the appsettings, they'll be replaced. Again, making implementing secret manager unnecessary. KeyVault Name: FakeConfiguration--Prop1 Appsettings Field: FakeConfiguration: { Prop1: ???} The value from the vault will magically replace it, as they're equivalent. There's literally no need to complicate it unless absolutely necessary. Useful documentation I used... docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.2#use-application-id-and-x509-certificate-for-non-azure-hosted-apps-1 docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.2#bind-an-array-to-a-class-1 oh yeah. If you don't want to load them all during startup, you can also access them individually via the SecretClient docs.microsoft.com/en-us/dotnet/api/overview/azure/security.keyvault.secrets-readme-pre
How about adding keys as Azure app service configuration that will later exposed to app as env variables? What's the downside of this? Great content keep it up!
Hello there! Can I ask some questions? 1) Should we use (I mean by your opinion and recommendation) azure key vault for store DB creds etc? 2) Did you hear about "git secret"? What do you think about that way? 3) As I understood, certificate is strongly recommended, but not necessary? Am I right? Can we configure certificate in appSettings.json? I remember smth like that in .Net Framework and web.config times.
Thanks Nick for the wonderful tutorial - What certificate should a team purchase when application goes to Prod (since self singed certificate is recommended for Development Environment) Thanks
Hi, thank you so much for the detailed explanation. My project is in .NET MVC 4.6.2. Do you have any video that explains the same concept for .NET MVC?
Nice explanation , can you confirm if I can use same way to secure Azure function http trigger . I want to access this function from a specific application.
@Nick Chapsas, you have not implemented this project through managed identity, rather through certificate. But I heard in case of azure Key vault managed identity approach is much better than certificate. Am I correct? Will you please share your thought on my doubt?
Hi Nick, great tutorial as always. So I'm using SQL and have DbContext setup and registered in Startup.cs which points to connectionstrings in the appsettings.json. What changes do I need to make in startup.cs for this to work. services.AddDbContext(opt => opt.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"))); Any help is appreciated!
Hi Nick, First of all very good article. It really helped me what i wanted to achieve. I will be greatful to you if you can help me with following queries. I am really stuck at present. This way of certificate works on when you host it on windows server or running in windows locally. How we can make it run in Linux server? How we can setup the development env in a mac machine? My application is a Service Oriented Architecture. The services are consumed by mobile and web app. So in development env I host the services locally in IIS, so that i can debug service code with mobile/web code. But the certificate is not picked up by the service so it is not be able to connect to the azure key vault. A timely response is highly appriciated. thanks
I'm just a beginner with regards to understanding https, certificates and storing secrets in .NET. In Azure Portal, when I created the key vault, under /certificates I see that you can just generate one. Is it stupid to do that, download it and the upload for the app registration?
Hi Nick, I have followed the video and when I deploy I got the error "Could not find certificate with thumbprint 558318C0DB6999F4AD1163A1xxxxxxxx". How can I solve that error. Tks for your reply Nick
It looks like you'll have some additional administration to perform each year, when your certificates expire. Why not use "Identity", and "DefaultAzureCredential()". That way you won't have this problem. You would not even have to use KeyVault, you could just allow your production server access to your DB in AzureAD using RBAC. In development you get a nice single sign-on experience as well, and no passwords anywhere...
It is actually not a problem. You can configure the certificate to be updated automatically without anyone manually doing it. I wanted to keep the video generic for anyone that wants to use KeyVault but isn't in Azure
@@facundo91 have you got your query resolved? if the Backend API is running on an App Service, but your Frontend API is running on another App Service can we adopt automatic uploading of certificate? or there has to be a different approach?
Hi Nick, I've getting the "Certificate is not installed" exception thrown. Any idea what I could be missing? I've posted a question here" stackoverflow.com/questions/61513887/cannot-find-certificate-azure-net-core-app Thanks!
I think I go it. Does the boolean parameter for finding the certificate need to be false? ex. store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
Hello Nick. How can put Token into my Header request in SecretClient? I can take secrets with pure HttpClient. But With Secret Client I don't know where to put my Token
I think this is one of the best video so far on Key Vault. Really appreciate your efforts.
So basically we can connect key vault using below technique,
1. Using Manged Identity ( System Designed),.
2. Using Client Id & Client Secret.
3. Using Client Id & Certificates.
All of these needs App Registration to grant access to Key Vault.
@Hemant Jain, do you know where is the code of this demo kept? Nick didn't reply to my query yet.
Even in 2023 it's still useful! I just integrated a keyvault for the first time a-z myself. I used azure app configuration which has some keys mapped to key vault. So when I pull the configuration I'm getting both plain values and secret values in one shot. Thanks, Nick!
I have been finding solution for using secret keys for almost 2 days.. This is only solution that i find workable. Thankyou very much...
Best key vault tutorial/explanation out there by far! Great job 👏
Great video! I think people using Azure All the way might find it easier with 2 changes:
1) Use Managed Identity for Auth (skip certificate setup + increase security by making it easier to manage later without deploying new code)
2) Use Azure App Configuration (and load secrets into Azure App Configuration using KeyVault, to get the additional audit for who accesses those keys specifically) to control config naming limitations in KeyVault in cloud
With above you will at least get a much simpler composition root - and more cloud control (remember to manage who has access to that).
I'm still missing the auto secret rotation feature which AWS has (that's really cool), but I guess there is a way to do that with some Azure Automation (just a shame it's not an out of the box feature like in AWS)
Got any examples of this?
I can't believe that a tutorial like this is free. Fantastic job Nick! Thank you so much.
THIS VIDEO IS ABSOLUTE GOLD.
Thanks Nick
Great tutorial! Maybe use the CN instead of the Thumbprint, so if the Certificate expires you can load a new one without the need to redeploy the application!
Great video! Nick, please add to the videos the corresponding Microsoft Documentation link.
Also I hope to see soon a video on how to get the most of Azure Application Insights!!
I loved your asp.net core Rest API tutorial, learned a lot. Thank you!
Thanks Nick for sharing your knowledge. Keep up the good work.
Great one! Nick, keep up the good work.
Hi Nick. Great video!
I managed in the end to make it work both locally and in the cloud. Thanks!
One question though.
You said this method is the most secure we could use in Production. What about using a system assigned managed identity ?
And regarding the Development, what is the preferred way ?
1. to connect via a service principal and use the certificate locally (I believe it would be difficult, as the certificate has to be shared across devs)
2. to be given access to the app service (and probably other clients like key vault) and using the DefaultAzureCredential, to let Azure detect the signed in user
I'm really interested about this topic and I hope others are too, so we get a reply from you!
Thanks again!
Fantastic run-through!
The best tutorial I have seen, as I know I spent some time figuring out how to do this myself, but there's somethings that are "no bueno" and overcomplicate it.
First of all, from the Microsoft documentation literally says...
"Don't use prefixes on key vault secrets to place secrets for multiple apps into the same key vault or to place environmental secrets (for example, development versus production secrets) into the same vault. We recommend that different apps and development/production environments use separate key vaults to isolate app environments for the highest level of security."
The single keyVault seems problematic and complicates how you access the secrets.
The prefix is totally unnecessary with the per app/per env vault and eliminates the need entirely for implementing the secret manager. Also, by default, if the names follow the structure of the data in the appsettings, they'll be replaced. Again, making implementing secret manager unnecessary.
KeyVault Name: FakeConfiguration--Prop1
Appsettings Field: FakeConfiguration: { Prop1: ???}
The value from the vault will magically replace it, as they're equivalent. There's literally no need to complicate it unless absolutely necessary.
Useful documentation I used...
docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.2#use-application-id-and-x509-certificate-for-non-azure-hosted-apps-1
docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.2#bind-an-array-to-a-class-1
oh yeah. If you don't want to load them all during startup, you can also access them individually via the SecretClient
docs.microsoft.com/en-us/dotnet/api/overview/azure/security.keyvault.secrets-readme-pre
I also find their recommendation of a prefix confusing when having a per app/per env vault structure, I guess only for versioning?
This was a great video and a huge time saver for me. Thank you!
Excellent
How about adding keys as Azure app service configuration that will later exposed to app as env variables? What's the downside of this?
Great content keep it up!
Hello there!
Can I ask some questions?
1) Should we use (I mean by your opinion and recommendation) azure key vault for store DB creds etc?
2) Did you hear about "git secret"? What do you think about that way?
3) As I understood, certificate is strongly recommended, but not necessary? Am I right? Can we configure certificate in appSettings.json? I remember smth like that in .Net Framework and web.config times.
github secret is only available inside github actions as far as I know. Its useful for testing purposes inside github.
Great video, Nick.
Thanks Nick for the wonderful tutorial -
What certificate should a team purchase when application goes to Prod (since self singed certificate is recommended for Development Environment)
Thanks
Hi, thank you so much for the detailed explanation. My project is in .NET MVC 4.6.2. Do you have any video that explains the same concept for .NET MVC?
so hyped for the azure series!
any chance of it including eventbus?
Sorry do you mean Azure Service Bus or Azure Event Hub?
Please create on Azure logic app and Service Fabric. Thanks.
@@nickchapsas sorry - Service bus is what i meant
Liked the video even before watching it. Hope you doing well.
Hi, Iove all your videos. Thanks a lot for sharing your knowledge.
Can you suggest how to reload when the values are updated in AKV?
Nice explanation , can you confirm if I can use same way to secure Azure function http trigger . I want to access this function from a specific application.
@Nick Chapsas, you have not implemented this project through managed identity, rather through certificate. But I heard in case of azure Key vault managed identity approach is much better than certificate. Am I correct? Will you please share your thought on my doubt?
Great tutorial. By the way which editor you are using? It looks different from Visual Studio and VS Code.
It’s called JetBrains Rider
I think you can get openssl from Gti here: C:\Program Files\Git\usr\bin
Awesome video but, given that its deprecated how do you configure it in the Program.cs file in Core 6.0 since the Startup file is no longer a thing?
Could you give a diagrammatic/high-level idea of what exactly are you doing?
Well done.
The best! tnx
Hi Nick, great tutorial as always. So I'm using SQL and have DbContext setup and registered in Startup.cs which points to connectionstrings in the appsettings.json. What changes do I need to make in startup.cs for this to work.
services.AddDbContext(opt => opt.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
Any help is appreciated!
@Nick Chapas where is code of this project in your repository? I couldn't find that. Will you please share link of code for this demo project?
Hi Nick, Very well explained this is a good learning. Would you please share the code. In the Github i didn't find this. Thanks in Advance
Great tutorial Nick, where can I get the source code? I could not find it in your Github Repositories
Check the description.
@@nickchapsas where have you shared source code link in the description?
Hi Nick,
First of all very good article. It really helped me what i wanted to achieve. I will be greatful to you if you can help me with following queries. I am really stuck at present.
This way of certificate works on when you host it on windows server or running in windows locally. How we can make it run in Linux server? How we can setup the development env in a mac machine?
My application is a Service Oriented Architecture. The services are consumed by mobile and web app. So in development env I host the services locally in IIS, so that i can debug service code with mobile/web code. But the certificate is not picked up by the service so it is not be able to connect to the azure key vault.
A timely response is highly appriciated.
thanks
I'm just a beginner with regards to understanding https, certificates and storing secrets in .NET. In Azure Portal, when I created the key vault, under /certificates I see that you can just generate one. Is it stupid to do that, download it and the upload for the app registration?
Hi Nick, I have followed the video and when I deploy I got the error "Could not find certificate with thumbprint 558318C0DB6999F4AD1163A1xxxxxxxx". How can I solve that error.
Tks for your reply Nick
It looks like you'll have some additional administration to perform each year, when your certificates expire. Why not use "Identity", and "DefaultAzureCredential()". That way you won't have this problem. You would not even have to use KeyVault, you could just allow your production server access to your DB in AzureAD using RBAC. In development you get a nice single sign-on experience as well, and no passwords anywhere...
It is actually not a problem. You can configure the certificate to be updated automatically without anyone manually doing it. I wanted to keep the video generic for anyone that wants to use KeyVault but isn't in Azure
Hey M S, what if the Backend API is running on an App Service, but your Frontend API is running on another App Service. Would that still work?
@@facundo91 have you got your query resolved? if the Backend API is running on an App Service, but your Frontend API is running on another App Service can we adopt automatic uploading of certificate? or there has to be a different approach?
will any one reply to my query?
That means there is no consistent experience on the config for multiple environments such as local development environment.
Can we use secret name as APP_ENV in azure key vault. I tried it and it says i cannot use special characters like _
is this applicable to Asp.Net MVC?
Microsoft.extensions.azurekeyvault is deprecated
Replaced by: Azure.Extensions.AspNetCore.Configuration.Secrets
Hi Nick,
I've getting the "Certificate is not installed" exception thrown. Any idea what I could be missing? I've posted a question here" stackoverflow.com/questions/61513887/cannot-find-certificate-azure-net-core-app
Thanks!
I think I go it. Does the boolean parameter for finding the certificate need to be false? ex. store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
This crying out for a utility (script?) and a utility library!
Hello Nick. How can put Token into my Header request in SecretClient? I can take secrets with pure HttpClient. But With Secret Client I don't know where to put my Token
Is this OK to use for usernames and passwords?