Azure Key Vault – Visual Studio (ASP.Net Website)

In my last article, I demonstrated that we can have all the sensitive information kept in Azure Key Vault and then it can be accessed from the application. Application do not need to keep sensitive information like database connection string, storage keys etc in config files, instead they can fetch it from key vault at runtime. This will help us achieving the security goal which is of the paramount importance.

Here in this article, I have implemented the below architecture.

Let me explain the above architecture –

1. First step is to create an Azure SQL database. It can be created and configured (like firewall settings) using the PowerShell script as I wrote in my last article or can be directly done using Azure Portal. Once the database is created and configured, get its connections string.
2. Next step is to create Azure Key vault and add a secret for the given database connection sting. Once done, get the Secret Identifier (dbConnectionSecretURI) from key vault.

   

3. Now create a web application in Azure App services. Again, it can be done using PowerShell, CLI or the Portal. Please refer to these articles for more details – https://mdaslam.wordpress.com/2018/09/03/microsoft-azure-app-services-powershell-arm-vsts-cicd/ and https://mdaslam.wordpress.com/2018/08/28/microsoft-azure-app-services-simple-web-app/
4. Once the web application is created, next important step is to do application registration in Azure Active Directory. For it, go to the Azure Active Directory tab and select “App Registrations” as shown below –

   

5. Once the application is registered, below screen will appear –

   

   Please note the Application ID from the above screen.

6. Click on the Settings link in the above screen. Below screen will appear, select “Keys” tab.

   

7. Enter description and expires duration in the below screen and click on save. Once saved, client secret key will be generated. Copy this key right away as once you leave this blade, you cannot retrieve it again, you have to create the new one instead.

   

8. Once application is registered in AAD, we need to define the access policies in the Azure key vault. Once defined, Azure key vault can now authenticate and authorize the application access request to read the secrets.
9. Till this step, you got the following values that will be needed in .Net application to access the key vault –
   1. Client ID (Application ID)
   2. Client Secret
   3. DBConnectionSecretURI
10. Above values at step 8 needs to be added to the application config file, say web.config in our case as –

    

11. Developer can write code in any language say .Net or Java or whatever needed. Developer can then publish the code to Azure and test the application for the database access.
12. I have written ASP.Net code in Visual Studio 2017 and implemented above architecture. Please note that I have used below two NuGet packages that needs to be added to the project –
    1. Microsoft.Azure.KeyVault
    2. Microsoft.IdentityModel.Clients.ActiveDirectory
13. You can refer the code at https://github.com/mdaslamansari/azurekeyvaultaspnetVS

     

    ——End of Article—–