How to read value from azure key vault

1
votes

I am not able to understand what's the benefit of the azure key vault if I am storing ClientId and client secret in web/App Config. Passing the base URI or the complete URL for getting the values.

I am not securing the application instead I am bypassing the things to directly read. But anybody can read the values from key vault if they can read the value from web config.

Just need to copy ClientId and ClientSecret from the web config, Paste the values in your console application and get the values by just passing the URI.

I am running my Web API(c#) in Virtual Machine(IIS). I need to implement KeyVault without providing any values in the web config.

2
c#azure-keyvault

2 Answers

1
votes

Architecturally speaking , azure key vaults provide easy way to store the configuration settings for your application. As you might have seen in the example docs that for accessing the key vault , we store the client id and client secret in web.config which is not as per the secure design:

Here is something which you can do :

  • All you required setting needs to be in a encrypted format inside a blob/any kind storage and only your application should be able to get the configs form blob or any kind of storage while your application is booting. Once the application is booted properly , last step should be to decrypt the settings and store in a secure way at client side.

In this way do don't need to expose the client id and secret of you application.

Additionally , we create a service principal account in Azure AD and provide the access to read the data from Key vault. Later we store the bearer token after calling the Azure AD authentication API and use this token to access key vault.

  • Another approach would be **Managed identity** as pointed by @JackJia , Managed identity will be considered as trusted resource, and can get token from specific endpoint without any additional configuration. You can read the above answer for details.

let me know if you want to discuss further , would be happy to help you.

0
votes

If you do not want to store client id and client secret in your web.config, then you can use Azure Managed Identity to get authorized to use Azure Key Vault.

Here is an official tutorial: Use a Windows VM system-assigned managed identity to access Azure Key Vault

In this tutorial, it explains how the managed identity works and how to acquire a token for calling Azure Key Vault API.

And, in fact, you can directly use 'Microsoft.Azure.Services.AppAuthentication' package in your c# application. And then create KeyVaultClient and get secret as following:

    var azureServiceTokenProvider = new AzureServiceTokenProvider();        
    KeyVaultClient kvc = new KeyVaultClient(azureServiceTokenProvider.KeyVaultTokenCallback);
    SecretBundle secret = kvc.GetSecretAsync(baseUrl, "testSecret").Result;
    Console.WriteLine(secret.Value);

Summary

With Azure managed identity, you can add role assignment or access policy to it. Then, your Azure resource (VM or web app) with managed identity will be considered as trusted resource, and can get token from specific endpoint without any additional configuration.