When we are working with PAAS (Most of resources are PAAS in Azure like App service and KeyVault) in Azure. Most of the time, We do not need to write code or write very less code to access them such as in this case. Do not need to provide any detail like connection string or other details to access key vault in app service, Just do little configuration in azure portal and direct get secret from key vault.
In Azure , they are resources in same resource group which can communicate to each other or authenticate or authorize by just adding object id of app service to keyvault "Access policies". All the headache is on azure of validation. It is very easy, secure and good practice.
Steps are as Follows
Enable Managed Service Identity for your Web App/App Service
a. Select "Identity" from the left-side menu in the Azure Web App/App Service.
b. In the System-assigned tab, Change the "Status" toggle to "On".
c. After a few seconds, Object ID will be available then copy the "Object ID".

Authorize the Web App/App Service to access Your Key Vault
a. Select "Access policies" from the "Key Vault" screen.
b. Click "Add Access Policy".
c. Provide the "Get" and "List" permissions.
d. In the “Select a Principal” option, specify the value for the "Object ID" you
copied earlier for the Azure Web App/App Service.
e. Paste, search and then select it from the list.
f. Click "Add".
g. Click "Save" to persist the changes and complete the process.
Provide Permissions

Copy object Id

Read Azure Key Vault Secrets in .NET Core
a. Install the NuGet Packages
You may install these packages in one of two ways: Either via the NuGet
Package Manager integrated into the Visual Studio 2019 IDE or by running the
following command(s) in the Package Manager Console:
Install-Package Microsoft.Extensions.Azure and Install-Package Azure.Security.KeyVault.Secrets
Note :- In My case , I did not need to install these packages.
b. Access Secrets from AzureKeyVault
- Specify the Vault Uri in AppSettings :- Create a section named "KeyVault" in the appsettings.json file and specify a key named "VaultUri" in there as shown below.
appsettings.Development.json
{
"SecretName": "xyz"
}
appsettings.OtherEnv.json
"KeyVault": {
"VaultUri": "https://yourkeyvaulturl.vault.azure.net/"
}
- Create KeyVaultManagement class
public class KeyVaultManagement
{
private readonly IConfiguration _config;
public KeyVaultManagement(IConfiguration config)
{
_config= config;
}
public SecretClient SecretClient
{
get
{
return new SecretClient(
new Uri($"{this._config["KeyVault:VaultUri"]}"),
new DefaultAzureCredential()) ;
}
}
}
- Write the below code in Program.cs
.ConfigureAppConfiguration((context, config) =>
{
var builtConfig = config.Build();
if (!context.HostingEnvironment.IsDevelopment())
{
config.AddAzureKeyVault(new KeyVaultManagement(builtConfig).SecretClient, new KeyVaultSecretManager());
}
});
- Write the below where need to fetch secret.
var valueofSecret = configuration["SecretName"];
configuration is IConfiguration
Documentation of Microsoft for Access Policy of Azure Keyvault
IF YOUR APPLICATION IS NOT APP SERVICE OR IT IS DEVELOPED IN .NET FRAMEWORK
Then Implement KEYVAULT using Certificate
Install Same Nuget Packages
Write the below code in Program.cs. Might need to add package or namespace to use certificate classes
.ConfigureAppConfiguration((context, config) =>
{
var root = config.Build();
var KeyVaultName = root["KeyVaultName"];
var Uri = new Uri($"https://{KeyVaultName}.vault.azure.net/");
var x509Certifcate = CertifcateHelper.GetCertificate(root["Thumprint"],"KeyVaultCertificate");
config.AddAzureKeyVault(Uri , new ClientCertificateCredential(root["ClientTenantId"], root["ClientAppId"], x509Certifcate));
});
- Add the below lines in APPSetting
appsettings.Development.json
{
"KeyVaultName": "keyvalutname",
"ClientTenantId": "Get from azure and paste here",
"ClientAppId": "Get from azure and paste here",
"Thumbprint": "Get from keyvalut certificate in azure and paste here";
}
- Write the below where need to fetch secret.
var valueofSecret = configuration["SecretName"];