How to pass sensitive data to the IConfiguration interface during startup?

0
votes

I want to use the configuration setup for my .NET Core Web API. I installed the Microsoft.Extensions.Configuration package for the DI container.

First of all I have 4 config files

  • appsettings.json

    Whenever all three environments use the same config value, this is the file where to put it

  • appsettings.Development.json

    Basic config values for development purposes only. E.g. database connection points to localhost and token secret is "secret", example:

.

{
  "Database": {
    "ConnectionString": "Server=localhost;Port=3306;Database=db;Uid=root;Pwd=admin;Pooling=true;"
  }
}

  • appsettings.Staging.json

    Almost the same as the development file

  • appsettings.Production.json

    Things are different here. I can't put sensitive information to that file, e.g. token secret. These values should come from the environment variable

So in my code I can access the config values via dependency injection

public class MyClass
{
    public MyClass(IConfiguration configuration)
    {
        string databaseConnectionString = configuration["Database:ConnectionString"];
    }
}

but what if the code runs in production mode? The information doesn't exist in the production file so I would have to read from the environment variables.

Would I have to create an environment variable called Database:ConnectionString and .NET Core maps all the system environment variables into the configuration file during startup if they don't exist? Or how would I pass in sensitive data to the configuration?

2
asp.net-core.net-coreasp.net-core-webapi
Have you had a chance to take a look at the section in the documentation about environment variables? docs.microsoft.com/en-us/aspnet/core/fundamentals/configuration/…Nkosi

2 Answers

1
votes

With the default builder, ASP.NET Core will load the configuration from multiple sources, where later sources have the chance to overwrite earlier ones. The default sources in non-development environments are the following:

  • General JSON configuration from appsettings.json
  • Environment-specific JSON configuration from appsettings.<Environment>.json
  • Environment variables, e.g. ConnectionStrings:DefaultConnection or ConnectionStrings__DefaultConnection (both map to the same configuration path)
  • Command-line arguments

So you have the ability to overwrite the configuration from the JSON files by default using both environment variables and command line arguments.

When it comes to production use, there are also other means to protect the secrets. For example, you could simply edit the appsettings.Production.json during deployment, so that the values will never leave the machine itself.

1
votes

There are several solutions for this. But obviously you want to keep things such as connection strings away from version controlled files.

If running locally i would sugest using the user secrets functionality in visual studio.

However you can also set environment variables from the cli. This is an example from the documentation about configuration:

set MyKey="My key from Environment"
set Position__Title=Environment_Editor
set Position__Name=Environment_Rick
dotnet run

Of course when running in azure the key vault is a good place to put these kinds of secrets and also has great integration into .Net.