Azure Key Vault returns secret even after disabling setup

0
votes

I'm experimenting with Azure Key Vault for a hobby project. At first, I developed locally but now my db is in Azure. So I want this connectionstring safe in the Key Vault. I managed to do by the connected service option in visual studio. The connection is made and everything works as expected. Still, now I want in development to access the local db with the config value from the appsettings.json. I thought by wrapping the setup in the ConfigureAppConfiguration delegate in the program.cs like below would bypass Key Vault and goto local appsettings. But when running this code I still get the Key Vault secret value (and in debug the code is skipped (so IsDevelopment is true)

            if (!context.HostingEnvironment.IsDevelopment())
            {
                var builtConfig = config.Build();
                var keyVaultEndpoint = GetKeyVaultEndpoint();
                if (!string.IsNullOrEmpty(keyVaultEndpoint))
                {
                    var azureServiceTokenProvider = new AzureServiceTokenProvider();
                    var keyVaultClient = new KeyVaultClient(
                        new KeyVaultClient.AuthenticationCallback(
                            azureServiceTokenProvider.KeyVaultTokenCallback));
                    config.AddAzureKeyVault(
                        keyVaultEndpoint, keyVaultClient, new DefaultKeyVaultSecretManager());
                }
            }

So my questions are;

  1. Did anyone else experience this odd behaviour?
  2. How to deal properly with switching out key vault on local machine
2
azure.net-coreazure-keyvault
what is your non-development env? azure web apps?Neville Nazerane
what is context? there is no variable in program.cs by defaultNeville Nazerane
The non development environment is Azure web apps. But the problem is on dev.Casper Broeren
Context is of type WebHostBuilderContextCasper Broeren

2 Answers

0
votes

For this, instead of accessing the Hosting environment in the Program class, I generally use environment variables. Since the keyvault might change, I store the keyvault as an environment variable in production. I can now do define the function as:

string GetKeyVaultEndpoint() => Environment.GetEnvironmentVariable("KeyVaultURL");

Here "KeyVaultURL" is the environment variable name that stores the URL endpoint. Once your function is defined like this, you can simply check if it returns null. If it returns null you can skip the key vault setup. This way even if you move your website to a location where you choose to use something else instead of key vault, there will be no issues even in a production environment.

0
votes

Well turns out it wasn't the code and key vault after all. Before implementing the keyvault I've experimented with user secrets and it turned out this still got executed in my configuration providers. When I debugged I looked at the contents of IConfiguration.Providers to find my setting being present in secrets.json which was located here on my computer.

C:\Users\Username\AppData\Roaming\Microsoft\UserSecrets\e53d8827-fdcb-496d-8290-9ff7fcf0ec04

I hope someone else with this problem is saved from digging to the code