6

I am using nuget Microsoft.Extensions.Configuration.AzureKeyVault and I am using below code for asp.net core 3.1 in Program.cs,

I am doing custom certificate authentication for azure keyVault. Also using custom secret management.

   public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureAppConfiguration((context, config) =>
            {
                    config.AddAzureKeyVault(new AzureKeyVaultConfigurationOptions
                    {
                        Vault = "key vault url",
                        ReloadInterval = TimeSpan.FromSeconds(15),
                        //authenticate with custom certificate
                        Client = new KeyVaultClient(CustomCertificateAuthenticationCallback),
                        Manager = new CustomKeyVaultSecretManager()
                    });
                }
            })
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
            });

The package Microsoft.Extensions.Configuration.AzureKeyVault is deprecated and I have uninstalled this package and installed the updated one Azure.Extensions.AspNetCore.Configuration.Secrets. After switching to this package I am NOT able to figure our how to use custom validation and how to pass keyvault url

James Z
  • 12,209
  • 10
  • 24
  • 44
user584018
  • 10,186
  • 15
  • 74
  • 160

2 Answers2

7

You could try SecretClient method, and refer to this official document about Azure Key Vault Configuration Provider.

using Azure.Security.KeyVault.Secrets;
using Azure.Identity;
using Azure.Extensions.AspNetCore.Configuration.Secrets;

public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureAppConfiguration((context, config) =>
        {
            if (context.HostingEnvironment.IsProduction())
            {
                var builtConfig = config.Build();
                var secretClient = new SecretClient(new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
                                                         new DefaultAzureCredential());
                config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());


            }
        })
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseStartup<Startup>();
        });

SecretClient doesn't support AuthenticationCallback(Microsoft.Azure.KeyVault.KeyVaultClient.AuthenticationCallback).

If you would like to authenticate with certificate, you could new TokenCredential with Azure.Identity.ClientCertificateCredential.

X509Certificate2 cer = new X509Certificate2(certPath, pfxpassword, X509KeyStorageFlags.EphemeralKeySet);
var secretClient = new SecretClient(new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
                                            new ClientCertificateCredential(tenantID, clientID, cer);
unknown
  • 6,778
  • 1
  • 5
  • 14
2

As the suggestion in the Accepted Answer does not have the ReloadInterval property, here is the suggestion to keep all properties as in the original code, while using the new package:

using Azure.Security.KeyVault.Secrets;
using Azure.Identity;
using Azure.Extensions.AspNetCore.Configuration.Secrets;

public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureAppConfiguration((context, config) =>
        {
            if (context.HostingEnvironment.IsProduction())
            {
                var builtConfig = config.Build();
                config.AddAzureKeyVault(
                    new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
                    new DefaultAzureCredential(),
                    new AzureKeyVaultConfigurationOptions()
                    {
                        Manager = new KeyVaultSecretManager(),
                        ReloadInterval = TimeSpan.FromSeconds(15)
                    }
                 );
            }
        })
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseStartup<Startup>();
        });
KVN
  • 863
  • 1
  • 17
  • 35