Manage application settings with Azure KeyVault
Securing your data and application configuration should be of prime importance for an application developer/architect and needs to be taken care of during the design phase itself. It is always better to take preventive steps rather than do firefighting after an incident. There are a lot of best practices out there to safeguard the data, but from time to time we ignore/forget to securely store app configuration settings.
Very often developers tend to store hard-coded passwords, tokens, authorization keys, etc in the code or in the application configuration files and then commit the code into the version control. If your repo is publically available or some bad actors got access to it, then you may end up in a lot of trouble. There are automated bots that look for this kind of information by scanning the repos publically available in GitHub or BitBucket and then target your infrastructure with these credentials
Securing the configuration settings
There are a lot of ways you can make that secure, for example by encrypting the entries in the configuration files or by keeping that sensitive information in some other medium such as a database. Another option is to rely on resources provided by cloud vendors such as Microsoft or Amazon.
Azure KeyVault is one such cloud service provided by Microsoft for securely storing and accessing not only secrets but also certificates, keys, passwords, etc. Please refer to this official document for more details about Azure KeyVault. Apart from storing it securely, KeyVault provides additional features such as access control, audit logging, versioning, validity, and much more. With the help of these features, we can make sure that only authorized personnel/app has access to the data with proper auditing and expiration controls.
Creating a KeyVault in Azure
We can create a resource in Azure in a number of ways, here I am going to show you how to create a vault from the portal as well as with commands using
Key Vault in the search bar at the top and select
Key Vaults from the results. From the next page, select the
Create option and you will get a window like the one below. There, just select the Resource Group, specify a name for the key vault, region, and pricing tier, and leave the rest with the default values
az keyvault create --name "gab22demo-rg" --resource-group "GAB22RG" --location "SouthIndia"
Creating a secret
Before you can add a secret in the key vault, you will need to give yourself access to either add or manage it. In order to do that, you can go to
Access Policies from the left menu under your key vault and then select
Add Access Policy. Since we are dealing only with secrets, we will only select the necessary permissions needed for the same and then the identity to give access to
az keyvault secret set --vault-name "gab22demo-rg" --name "DBConnection" --value "<your connection string>"
Reading secrets in your code
So we have created the key vault and added a secret in the vault to store the database connection string. Now, let's read this connection string from the vault and establish a connection to the database from the code base. For this post, I am going to use a .NET6 Web application for the demo purpose.
In Azure, while creating the key vault it exposes API endpoint which can be used in our code to establish a connection to the vault for performing various operations. To get started, we will need to install a nuget package named
We are going to store the key vault endpoint in the config file and will load it into the configuration collection during the bootstrapping phase
So, let's add an entry in the
appsettings.json file as shown below
Now, in the startup code, add the following snippet
.ConfigureAppConfiguration((hostingContext, config) =>
AzureServiceTokenProvider azureServiceTokenProvider = new();
KeyVaultClient keyVaultClient = new(
What we are doing basically here is
- adds the KeyVault as a configuration provider
- sets up the connection to the key vault using
Once you complete this step, you will be able to access the key vault references in the same way you access values from other configuration providers such as
A sample snippet is given below. Here we are using the
IConfiguration instance to read the value
DBConnection which is being fetched from the vault during the startup phase.
private readonly ILogger<HomeController> _logger;
private readonly IConfiguration _configuration;
public HomeController(ILogger<HomeController> logger, IConfiguration configuration)
_logger = logger;
_configuration = configuration;
public IActionResult Index()
List<Product> products = new();
using (var db = new GABDemoDbContext(_configuration["DBConnection"]))
products = db.Product.OrderBy(x => x.Name).ToList();
Connecting Azure Blob Storage account using Managed Identity
Securing Azure KeyVault connections using Managed Identity
Manage application settings with Azure KeyVault
Adding Serilog to Azure Functions created using .NET 5