4

I would like to move the Storage and SQL connection string from configuration files stored in the various projects of my solution to only be accessible in the Azure Portal.

Keeping connection strings in source control means that if anyone got a look at our code base they would have unlimited access to our Azure accounts.

In Azure Web Sites the connection strings can be set in the portal and will be kept when the next deployment occurs. Is it possible to do the same with Cloud Services?

Joseph Idziorek
  • 4,853
  • 6
  • 23
  • 37
Aran Mulholland
  • 23,555
  • 29
  • 141
  • 228

3 Answers3

4

No, it is not possible. A cloud service is a VM, it is not an application that can consume connection strings.

If you have a continuous integration server, what you can do is this: before you deploy your app into the cloud service, run a script that changes the value of the connection string to what you like, and deploy that. In this way, the connection string is only visible in your CI server and not in your code.

Note however that if you already committed the connection strings to your codebase, there's no way to remove them from the history. (Unless you do a force push, which is not recommended).

Maria Ines Parnisari
  • 16,584
  • 9
  • 85
  • 130
  • Thanks for that, I can regenerate my keys and change the passwords so that the old ones are no longer in use. btw force push is only applicable when using git :) – Aran Mulholland May 28 '15 at 04:22
  • 1
    Oh, yes, sorry, I just assumed you used Git, or some form of version control. – Maria Ines Parnisari May 28 '15 at 04:23
  • I'm using TFS on this, which is probably git underneath but I will change the passwords and do as you suggest – Aran Mulholland May 28 '15 at 04:24
  • Ok. Just as an FYI though: TFS is *not* git: http://stackoverflow.com/questions/4415127/git-vs-team-foundation-server – Maria Ines Parnisari May 28 '15 at 04:27
  • If you're open to use Azure Key Vault for key management, you may find this blog post useful (at least for Storage keys): http://www.dushyantgill.com/blog/2015/04/26/say-goodbye-to-key-management-manage-access-to-azure-storage-data-using-azure-ad/ – Gaurav Mantri May 28 '15 at 04:51
3

This should be now possible with Azure Key Vault. I haven't tried it - but plan to - but here's a good tutorial on getting started with key vault and then using key vault from a web app. Whether this works exactly the same for Cloud Services I'm not sure.

Rory
  • 40,559
  • 52
  • 175
  • 261
  • Yes you can do this, but then how do you hide the connection strings to Key Vault? Actually you can set up an identity that your VM can use to access Key Vault. – Aran Mulholland Apr 17 '19 at 14:47
0

This is really late, but if you have deployed your project as a webservice, the easiest way to store connection strings securely is to go to:

Your App Service -> Configuration -> Connection Strings -> New connection string

Here, add the name of your connection string (say DBConnectionString) and the value of your connection string. This value should replace any dummy connection string with the name DBConnectionString inside your Web.config file with the value you added above.

Your Web.config file should contain what is shown below. Here you can replace SOME DUMMY VALUE with anything; the deployed service will take the connection string from azure portal. Local debugging will require you to add the connection string again.

<connectionStrings>
    <add name="DBConnectionString"
               connectionString="SOME DUMMY VALUE" />
</connectionStrings>
Kjartan
  • 18,591
  • 15
  • 71
  • 96
Abhinav Reddy
  • 11
  • 3