In any application architecture, application talks to many other components like database, Redis Cache, Azure Storage etc. To talk to these components, they store sensitive information in the config file.
Sensitive information can be like –
- database or Redis Cache connection string which has information about database, database server, User Name and Password.
- Azure blob storage connection string that has storage key
- Etc.
If any of the above sensitive information is compromised, it can open application surface for attackers. For example, with database connection string, attacker can easily login into the database and query it to get the information. If storage key is compromised, person having key will have full access to that storage. We must ensure that all such information should be kept in extremely secure environment.
Microsoft Azure Key Vault is the solution to the above challenge. From Microsoft documentation, Azure Key Vault is a tool for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A Vault is logical group of secrets.
I wrote below PowerShell to demonstrate the use of Key Vault. Here is the flow of the below script –
- You need to first login into the azure account.
- Select the subscription where you want to create all the resources.
- Create Azure Resource Group if it is already not created.
- Create Azure SQL Database. To do so, first step is to create SQL Server and then SQL Database on it.
- Create firewall rules on the SQL Server to allow requests from the range of IP address or from any Azure IP Addresses.
-
Once the database is created, grab the connection string from it. Replace the user name and password with the one you created while running the below script.
- Now create the Azure Key Vault and add the above database connection string as a secret to the azure key vault. I added the connection string in the below script just to demonstrate how to add it to the key vault using PowerShell. Once added, we can remove these steps from the script.
- Finally, we are reading the connection string (secret) from the Azure key vault to connect to the Azure SQL Database without storing the connection string in the program. After successful connection, we have created a table and inserted a row in it. Once done, we have closed the connection.
With it, we don’t need to add connection string anywhere in the program. We can get it directly from key vault whenever we need it. It thus makes it secure.
There is one more perspective, for example, in case of storage keys, it is recommended to change them periodically so that no one can break or guess it. If we store it in the config file, every time, key needs to be changed, we need to update the application config file. If we keep the keys in Azure key vault and referring it from there, we just need to update the key vault secret and no application change will be required.
Here is the PowerShell Script Screenshot. Code is kept at https://github.com/mdaslamansari/azurekeyvault-powershellexample…
In the next article, I will use Visual Studio and ASP.Net application to demonstrate it, so stay tuned!
–End of the Article—
Mohd Aslam's Blog 
Pingback: Azure Key Vault – Visual Studio (ASP.Net Website) – Mohd Aslam's Blog