14

I'm doing an Azure App Service Deploy (ASP.NET Core 2.0 Web Api) in Visual Studio Team Services and want to replace some values in the appsettings.json so I read https://learn.microsoft.com/en-us/vsts/build-release/tasks/transforms-variable-substitution#jsonvarsubs, but they talk about substituting values in nested levels of the file, by concatenate the names with a period (.).

Problem is that you can't use periods (.) in an Azure Key Vault.

Does anyone know how to substitute variables with nested levels in an appsettings.json file using Secrets from the Azure Key Vault?

Erwin
  • 3,060
  • 26
  • 24
  • 1
    I used an ARM template for setting appsettings from the keyvault. Create an ARM template which provisions the web app and read the values from the keyvault and uses the values for setting the appsettings. You can read them from the keyvault via the .parameters.json file or use a nested template. In this way you can keep using periods (.) In the appsettings and have a different keyname in the keyvault. – Clemens Reijnen Dec 13 '17 at 05:16
  • @ClemensReijnen Thanks, you steered me in the right direction, see my answer. – Erwin Dec 13 '17 at 07:45

2 Answers2

10

I ended up using 'ConnectionStrings--Database' as Secret key in Azure Key Vault.

Then adding a 'Variable Group' in VSTS (https://learn.microsoft.com/en-us/vsts/build-release/concepts/library/variable-groups) linking to the Azure Key Vault.

And add a 'Process Variable' called ConnectionStrings.Database with a value of '$(ConnectionStrings--Database).

That way it replaces the value of your 'Process Variable' with the value from the Azure Key Vault and it uses the name of the 'Process Variable' to replace in the appsettings.json.

Erwin
  • 3,060
  • 26
  • 24
  • use `--` to replace `.` should be correct. And you can also find in the document Creating key vault secrets and loading configuration values (basic-sample) https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?tabs=aspnetcore2x#creating-key-vault-secrets-and-loading-configuration-values-basic-sample: `hierarchical values (configuration sections) use -- (two dashes) as a separator`. – Marina Liu Dec 13 '17 at 08:11
  • @MarinaLiu-MSFT, When I use my Azure Vault with the keys with -- it isn't replacing values in my appsettings.json. In the appsettings.json the structure is { "ConnectionStrings": { "Database": "databaseconnectionstring" } } – Erwin Dec 13 '17 at 13:39
  • What's your build logs for the Azure App Service Deploy task? – Marina Liu Dec 14 '17 at 07:03
  • 1
    @MarinaLiu-MSFT the Library does not replace "--" with "." during import of the values from the key-vault. This is a major problem… you need to **manually** "re-map" all keys in your process variables for each pipeline in order to have the correct names. Otherwise the replacement task will not use these variables... currently the import from key-vault as library is not usable. – Jochen Kalmbach Oct 24 '18 at 04:43
  • 2
    Thank you for posting this Erwin, this is under-documented. – Sam Dec 06 '18 at 12:51
0

[moved from comment to answer] I used an ARM template for setting appsettings from the keyvault. Create an ARM template which provisions the web app and read the values from the keyvault and uses the values for setting the appsettings. You can read them from the keyvault via the .parameters.json file or use a nested template. In this way you can keep using periods (.) In the appsettings and have a different keyname in the keyvault.

Clemens Reijnen
  • 126
  • 3