7

I need a way to store hierarchical data in Azure Key Vaults so that I have a structure similar to:

AppName
  /Prod
    /Data
  /Test
    /Data
AppName2
  /Prod
    /Data

...

As far as I can tell I can only store a flat data structure. I am looking to be able to store data similar to Vault by HashiCorp which allows hierarchies.

For instance, in Vault by HashiCorp, I can get data using a 'path': "app/test/TestConnection" and I get the value at the endpoint of the path: TestConnection.

Any suggestion for alternatives would be fine or instruction on how to do what I need to do with Key Vault.

Thanks

Update

I tried some of the suggestions: MySettings--SomeSection--SecretThing, Multiple Vaults and neither works in the manner I need as described above. Not faulting the input but what I want to do just is not available in Key Vault.

@juunas Turns out that your suggestion may be the best solution. I only just discovered in another article that MySettings--SomeSection--Secret translates into something similar in .NET Core:

MySettings: {
    SomeSection: "Secret"
}

Since my client wants to use Key Vault we are probably going to go with storing json structured data per a single secret per application.

Any other suggestions are welcome

Tab
  • 1,702
  • 2
  • 19
  • 39
  • 1
    Storing hierarchical configuration values for ASP.NET Core works by naming the secrets like this: `MySettings--SomeSection--SecretThing`. Would some kind of naming convention like this work? – juunas May 10 '18 at 01:20
  • Interesting... I did not know that. I had heard from another source that using json to store hierarchical data works but I don't want a bunch of other data back just to get a key value. I will look into this. – Tab May 10 '18 at 01:28
  • I tried test--blah and then added test-xyz - no hierarchy Do I just see the hierarchy if I get test prefixed keys? Do you know of any documentation on this? – Tab May 10 '18 at 01:33
  • If you mean in the Key Vault secrets view, no, it does not support hierarchies. ASP.NET Core uses this naming scheme to simulate hierarchies. – juunas May 10 '18 at 01:34
  • Ah, so, if I add test--x and test-y secrets then i should be able to query for all keys under test and get x and y? – Tab May 10 '18 at 01:38
  • I don't think you can query with prefixes. ASP.NET Core's config system loads all secrets into its model so it just iterates all of them and figures out where they should land in the hierarchy based on the name. – juunas May 10 '18 at 01:40
  • Ok, I need to dive into the code then and give a try and see what I come up with. Thanks for the tips – Tab May 10 '18 at 01:43
  • would it make more sense in your case to have a keyvault per envrionment/applicatin ? – Thomas May 10 '18 at 08:39
  • @juunas Turns out that your suggestion may be the best solution. I only just discovered in another article that MySettings--SomeSection--Secret translates into something similar in .NET Core: MySettings: { SomeSection: "Secret" } Thanks! – Tab May 10 '18 at 17:50
  • Using hierarchy is documented here - https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-3.1#bind-an-array-to-a-class – Piotr Perak Jun 23 '20 at 08:51

2 Answers2

11

Key Vault does not support hierarchies for secrets.

To emulate structure, you can do something similar what .NET Core does with its Key Vault configuration provider. You can specify a secret with a name like Settings--SomeCategory--SomeValue, and it'll correspond to the following JSON when loaded:

{
  "Settings": {
    "SomeCategory": {
      "SomeValue": "value goes here"
    }
  }
}

So essentially you can use a separator to emulate the structure, similar also to how Azure Blob Storage emulates folders.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • I ended up doing just that. Embedding json in the Secret was too much. Thanks! – Tab May 10 '18 at 23:21
  • @juunas I only know of using double _underscores_ as the path separator: `Settings__SomeCategory__SomeValue`. Do double dashes work too? – Timo Oct 15 '20 at 15:31
  • Double dash only works with Key Vault. Double underscore and colon works with environment variables. – juunas Oct 15 '20 at 15:45
2

I would advice against mixing different environment secrets within the same key vault. Access cannot be restricted to some keys, as access is granted and denied on the Key Vault level only. You probably don't want the same persons/applications to be able to access all the different environments, but instead grant access to the production environment to a selected group of users and applications only, and vice versa.

As the Key Vault service by itself doesn't really cost anything, we at least have taken the approach to create one Key Vault per environment, i.e. dev, test and production. Within that key vault the secrets are "structured" by a prefix, i.e. AppName-Data and AppName2-Data. This gives the added benefit, that when moving from dev to test and to production, the references to the secrets don't need to be changed, as they have the same name in all the environments. Just the reference to the Key Vault needs to be changed, and all is set!

Tuukka Haapaniemi
  • 1,156
  • 1
  • 11
  • 24