Microsoft Azure Key Vaults with Dot Net 4.5
Today we’re going to look at using the Azure Key Vault to store sensitive data securely in Azure, when using the traditional Dot Net framework.
If you’re using .NET Core it’s seems fairly straight forward. However the story for traditional .NET a little more problematic. Problematic enough to warrant sharing the story.
“Why not just Dot Net Core if it's easier?”
Fair question .
My little website is currently running on .NET 4.5. Whilst I’d like to move to .NET Core that’s a long term plan. The medium term plan is to move to Azure for the increased scalability it brings.
Currently I encrypt the web.config file (because #security) and my research suggests that this won’t cut it under Azure. Whilst it does work, as soon as you try and scale up/down the website it fails.
I presume scaling means, in essence, moving to a new machine (or VM) with a different configuration (even though I’ve stipulated a machineKey setting). Anywho it doesn’t work . Hence looking at Key Vaults as it’s outside the web application and shouldn’t suffer the problems when scaling.
Demo App
I’ve put together a stripped down demo application on Github you can follow along with.
I’ll be referring to that codebase throughout so you may want to go ahead and clone it.
It’s deliberately cut down to just a Web API and nothing else so don’t be surprised that it’s a little … sparse!
Key Vault with .NET 4.5.2
A couple of quick notes about adding the key vault dependencies to an existing application. The following steps have already been applied to the demo app.
You’ll need to install the following packages via nuget:
- Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory
- Install-Package Microsoft.Azure.KeyVault
Your application needs to be at least .NET 4.5.2 otherwise you’ll get this error message when you try and install Microsoft.Azure.KeyVault.
Install-Package : Could not install package 'Microsoft.Azure.KeyVault 2.3.2'. You are trying to install this package into a project that targets '.NETFramework,Version=v4.5', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.
Azure Setup
Azure is a fast moving platform so I’m just listing the steps you need to go through. Far easier to update in the future than screenshots!
Resource Group
We’ll use a separate resource group to make it easier to rip down and restart if need be.
Select Resource Groups » Add
- Resource Group Name:
- RG-KeyVaultDemo
- Subscription:
- « Your Subscription »
- Resource Group Location:
- UK South (or somewhere else)
Key Vault setup
Next up we create the Key Vault itself.
Create the Key Vault
Select Key vaults » Add
- Name
- KV-TOEPOKE
- Subscription:
- « Your Subscription »
- Resource Group (use existing)
- RG-KeyVaultDemo
- Location
- UK South (or wherever you fancy)
- Pricing tier
- Standard (yes, key vaults do cost some money)
- Access policies
- « Select as applicable »
And then click Create.
Next up we’ll add the data we want to stay private.
Create the USERNAME key
Select Key vaults » KV-TOEPOKE » Secrets » Generate/Import
- Upload options
- Manual
- Name
- USERNAME
- Value
- « Your secret your want to keep »
- Content type (optional)
- « blank »
- Set activation date?
- « blank »
- Set expiration date?
- « blank »
- Enabled
- Yes
And click Create.
- Click through on the USERNAME secret, then click on CURRENT VERSION.
- Here you’ll see the Secret Identifier - https://kv-toepoke.vault.azure.net/secrets/USERNAME/somebigfatlongguid
- Copy the https://kv-toepoke.vault.azure.net/secrets/USERNAME/ part to the clipboard
- Paste into the UsernameSecretIdentifier in appSettings.config
Create the PASSWORD key
Select Key vaults » KV-TOEPOKE » Secrets » Generate/Import
- Upload options
- Manual
- Name
- PASSWORD
- Value
- « Your password you want to store »
- Content type (optional)
- « blank »
- Set activation date?
- « blank »
- Set expiration date?
- « blank »
- Enabled
- Yes
And click Create.
- Click through on the PASSWORD secret, then click on CURRENT VERSION.
- Here you’ll see the Secret Identifier - https://kv-toepoke.vault.azure.net/secrets/PASSWORD/somebigfatlongguid
- Copy the https://kv-toepoke.vault.azure.net/secrets/PASSWORD/ part to the clipboard
- Paste into the PasswordSecretIdentifier in appSettings.config
Azure Active Directory setup
With our vault and our secrets set-up we can go ahead and read our data? Not as simple as that as we don’t want anyone to be able to access our secret, only an application we authorise. We do this through Azure Active Directory.
Before we start it's worth pointing out that you don't need to deploy your web app or API to Azure in order to access the Key Vault.
Application Registration
Select Azure Active Directory » App registrations » New application registration
- Name
- AD-TOEPOKE
- Application type
- Web app / API
- Sign-on URL
- https://example.com
Sign-on URL is used for signing into your website via Azure Active Directory, which we aren't going to use so you can enter any valid URL here.
On saving the AD-TOEPOKE App registration you'll be allocated a Guid in the Application ID field. Add this to the ClientID in appSettings.config file of the sample application.
Whilst on the confirmation screen, click the Settings option and then Keys.
- Description
- AD-TOEPOKE-KEY
- Duration
- Never Expires
- Value
- « Leave blank »
Click Save and you’ll see the Value field is populated with an encoded string. Paste this into the ClientSecret field in appSettings.config file of the sample application.
It's very important you take a note of the Value now as once you navigate from the blade in the Azure portal it's no longer available. Indeed if you navigate to the Keys blade later the Value field simply says Hidden.
If you do navigate away without noting the Value, simply delete the key and create a fresh one.
Linking the Key Vault to Azure Active Directory
So we’ve created a Vault for storing our secrets and defined an Application for asking for the secrets in the vault. So now we need to tell the vault that our application has permission to access the vault.
Select Key Vaults » KV-TOEPOKE » Access policies » Add new
- Configure from template (optional)
- « blank »
- Select principal
- AD-TOEPOKE
- Key permissions
- Get & List
- Secret permissions
- Get & List
- Certificate permissions
- Get & List
- Authorised application
- « None selected »
And click OK, and then click Save (why OK doesn’t save I have no idea - always catching me out!)
Fire it up
Finally we can test our demo application out:
- Start the demo application in Visual Studio
- Change the URL to http://localhost:63049/api/home (your port may vary)
- Cross your fingers
- If all is well the browser will show the username and password secrets you entered eariler
Links
The following resources were used in constructing the above article:
- Setup Azure Key Vaults with Powershell
- Use Azure Key Vault from a web application
- Azure Key Vault - An Introduction with step-by-step directions
- Monsters Weekly
- Storing application secrets in Azure key vault
Posted in : azure