Quote of the Day

more Quotes

Categories

Recent Posts

Top Posts

Buy me a coffee

Tag Archives for " Azure Key Vault "

Authenticate against azure ad using certificate in a client credentials flow

Published November 13, 2021 in .NET , .NET core , ASP.NET core , Azure , Azure Active Directory , OAuth2 , OpenID Connect , security - 0 Comments

I have an API which needs to authenticate against azure ad to obtain an access token for calling another downstream API. When registering an application in azure AD for the caller API, I could either setup a shared secret or a certificate for the API to use as part of its credentials in a client credentials flow . In the past, I had always used a shared secret as it was more convenient and easier to setup. However, using certificate provides stronger security. After spending a few hours of googling and hacking, I was able to setup and use a certificate instead of a shared secret as credentials for the caller API to authenticate against azure AD.

Continue reading
Tags: Azure Key Vault , client credentials , digital certificate , digital signature , MSAL , self signed certificate , x509certificate

How to retrieve connection strings in azure key vault from ASP.NET using configuration builders, XML transformation and azure devops.

Published May 19, 2020 in .NET , Azure , Devops - 7 Comments

Configuration builders are mechanisms to retrieve connection strings from external sources. Using configuration builders, you may not have to do much codings besides installing packages and providing XML configurations for connecting to popular sources. In this post, I share with you my experience in using configuration builders for .NET to securely retrieve connection strings from an azure key vault. I’ll go over the setup and share some of the issues I face while integrating my app with azure key vault.

Continue reading
Tags: Azure Devops , Azure Key Vault , AzureKeyVaultConfigBuilder , ConfigurationBuilders , web.config , XML transformation

Securely log to blob storage using NLog with connection string in key vault.

Published March 21, 2020 in ASP.NET core , Azure , Logging - 0 Comments

If you do a simple google search on how to log to blob storage using NLog, you can find examples from the project page as well as posts from other developers. However, in most of the examples I have found, the connection string for the blob storage are directly embedded in the nlog.config file, which is not ideal. In this post, I show you another example of using NLog to log to azure blob storage, with the connection string coming from an azure key vault.

Continue reading

Tags: azure blob storage , Azure Key Vault , nlog , nlog azureblobstorage , nlog config

Connect to azure key vault from an ASP.NET core app using azure managed identity

Published November 23, 2019 in ASP.NET core , Azure , Azure Active Directory , security - 0 Comments

Of the three different ways to access an azure key vault from an ASP.NET core application, if your app runs on an azure resource, the best option is using azure managed identities for simplicity and the highest security. In this post, I go over how I configure the application and azure sides to leverage azure managed identities when accessing the key vault.

Continue reading

Tags: Azure Key Vault , AzureServiceTokenProvider , Managed identity , system-assigned identity , user-assigned identity

Access azure key vault from an ASP.NET core app on IIS using X.509 certificate

Published August 31, 2019 in .NET core , ASP.NET core , Azure , Azure Active Directory , IIS - 0 Comments

In this post, I go over in more details the steps of retrieving secrets from an azure key vault using client id and secret. This approach is one of the three ways to authenticate a Windows virtual machine against azure key vault. It is suitable if your app runs on a virtual machine which is not an azure resource and so cannot use azure managed identity.

At the high level, the process involves these steps:

  • Register the application in azure.
  • Generate and add a X.509 certificate into a certificate store.
  • Grant IIS_IUSRS user permission to access the private key of the certificate.
  • Upload the public key of the certificate to the app’s registration.
  • Grant the app access to the key vault.
  • Add codes to Startup file to authenticate against AD using the certificate.

You can find the sample project for this post here.

Continue reading

Tags: Azure Key Vault , GetPrivateKey , New-SelfSignedCertificate , ssl , X.509 certificate

Three ways of authenticating a Windows virtual machine against Azure Key Vault.

Published April 13, 2019 in .NET core , ASP.NET core , Azure , security - 2 Comments

In this post, I share three ways of gaining a Windows virtual machine access to a key vault. The machine can be an azure virtual machine or a non-azure machine such as your personal computer or a on premise server.

Continue reading

Tags: app id/secret , Azure Key Vault , Managed identity , system-assigned identity , user-assigned identity , X.509 certificate

Secure app settings in ASP.NET Core 2

Published August 20, 2018 in ASP.NET core , security - 0 Comments

Update: This post shows how to authenticate to azure key vault using app id/secret. However, this approach is less secure than using managed identity for azure resource and certificate for non-azure resource to grant the resource access to the key vault. For production environment, you should definitely consider using azure managed identity or certificate to authenticate and access azure key vault from your resource. Checkout my other post for more details.

In this blog post, I’ll show you the steps on  how to keep the credentials out of the source code of an ASP.NET Core app using Azure Key Vault.

If you want some convincing examples why leaving secrets in the source code is bad, check out this post. 

I assume you have some familiarity with developing an ASP.NET core 2 app. You also need an Azure subscription to register your application in Azure Active Directory and create an Azure key vault.

Basically the process involves these steps:

  1. Register your application in AAD and generate app secret.
  2. Set application id/secret using environment variables.
  3. Create an Azure Key Vault.
  4. Grant your app access to your key vault using access control.
  5. Specify URL to your vault in app settings.
  6. Load app id and secret from environment variables.
  7. Read secrets from Azure Key Vault.

Checkout the sample app for this post from my Git repo.

Continue reading

Tags: .NET core 2 , app secrets , ASP.NET core 2 , Azure Key Vault , HSM-backed keys