How to work with Key Vault when developing locally in .net framework?

Question

I'm wondering if there is a way I can setup a .net mvc app the same way a .net core app can be setup with Key Vault.

https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.2#secret-storage-in-the-development-environment

I want to be able to pull secrets in my local development environment without provisioning an Azure Key Vault.

In a .net core app I was able to follow the above link and get everything working.

// ran this command in powershell
dotnet user-secrets set "db-connection-string" "db-connection-string-value"

Setup the key vault with an empty endpoint in Program.cs (this is just for testing).

public static IWebHost BuildWebHost(string[] args) =>
           WebHost.CreateDefaultBuilder(args)
               .ConfigureAppConfiguration((ctx, builder) =>
               {
                   var keyVaultEndpoint = GetKeyVaultEndpoint();
                   if (!string.IsNullOrEmpty(keyVaultEndpoint))
                   {
                       var azureServiceTokenProvider = new AzureServiceTokenProvider();
                       var keyVaultClient = new KeyVaultClient(
                           new KeyVaultClient.AuthenticationCallback(
                               azureServiceTokenProvider.KeyVaultTokenCallback));
                       builder.AddAzureKeyVault(
                           keyVaultEndpoint, keyVaultClient, new DefaultKeyVaultSecretManager());
                   }
               }
            ).UseStartup<Startup>()
             .Build();

        private static string GetKeyVaultEndpoint() => "";

And I am able to access my secret locally using the below code.

 public void OnGet()
        {
            Message = "My key val = " + _configuration["db-connection-string"];
        }

In my asp.net app I am able to pull secrets from an Azure Key Vault. I just don't want to have to do that when developing locally since each developer could have a slightly different connection string to their local database, and requiring them to use a Key Vault in Azure is going to be annoying and cause frustration. Maybe we shouldn't use Key Vault for "legacy" applications. Any help is appreciated.

Andrew Shepherd · Accepted Answer · 2019-07-16T00:22:31.497

This seems similar to our development environment.

We wanted developers to use some values from the key vault, but to be able to override particular values for their local environment. (particularly the database connection string).

In the ConfigureAppConfiguration method you can register multiple configuration providers. If two configuration providers write to the same configuration key, the last registered provider gets precedence.

Knowing this, you can have a local file appSettings.json, which defines the database connection string:

{
     "db-connection-string": "Data Source = DEVELOPMENT_PC;Initial Catalog=MyLocalDatabase;Integrated Security=True"
}

Then register this provider after you have registered the key vault provider.

.ConfigureAppConfiguration((ctx, builder) =>
{
    var keyVaultEndpoint = GetKeyVaultEndpoint();
    if (!string.IsNullOrEmpty(keyVaultEndpoint))
    {
        var azureServiceTokenProvider = new AzureServiceTokenProvider();
        var keyVaultClient = new KeyVaultClient(
            new KeyVaultClient.AuthenticationCallback(
                azureServiceTokenProvider.KeyVaultTokenCallback
            )
        );
        builder.AddAzureKeyVault(
            keyVaultEndpoint,
            keyVaultClient,
            new DefaultKeyVaultSecretManager()
        );
    }

    var appSettingsFilePath = GetJsonAppSettingsFile(); // Hardcoded, or add some other configuratin logic
    if (!string.IsNullOrEmpty(appSettingsFilePath))
    {
        builder.AddJsonFile(appSettingsFilePath);
    }
}

Obviously, the production environment will have an empty or non-existent appSettings.json file, and all values will be derived from the key store. Or alternatively, you use the appSettings.json file in your production environment, but just for configuration values that do not contain secrets.

Thank you for your answer. I like this more than what I found in the Microsoft Docs, but this is for .net core. I don't have .ConfigureAppConfiguration in a standard .net framework app. Unless I missed something and I can setup my .net framework app with IWebHost. My understanding is that IWebHost is a .net core library though. — Ryan E., Jul 18 '19 at 13:04
@Ryan E. The framework I am using is .NET Framework (not .NET core). However, I am using .NET Framework to build an ASP.NET Core application (not ASP.NET 5 application). Are you building an ASP.NET 5 application or an ASP.NET Core application? If it's ASP.NET Core then you can go down this path, even if you are not building it with .NET Core. — Andrew Shepherd, Jul 19 '19 at 05:31
In this case it would be a asp.net 4. We are moving to .net core for our newer applications. So this question was geared toward finding a solution for those "legacy" apps we have. — Ryan E., Jul 19 '19 at 14:32

How to work with Key Vault when developing locally in .net framework?

1 Answers1