30

I am new in .NET Core and as far as I see from my search on the web, appsettings.Development.json is used for development config while developing the app and appsettings.Production.json is used on the published app in production server. Here are the example part that I set on both:

appsettings.Development.json:

"ConnectionStrings": {
  "DefaultConnection": "Server=localhost,21433;Initial Catalog=DemoDbDev;User Id=demouser;Password=******;" 
},

appsettings.Production.json:

"ConnectionStrings": {
  "DefaultConnection": "Server=demo-prod-db,1433;Initial Catalog=DemoDbProd;User Id=demouser;Password=******;" 
},

Here are some question that I need to be clarified:


1) What is the purpose of the appsettings.json? Is it used for default config or for the other settings that are not in the appsettings.Development.json or appsettings.Production.json?

2) Is the environment set on the launchSettings.json in the Properties folder? If so, should we manually update this file before publishing the app to the production server?

3) Is there anything that I should keep in mind regarding to Development and Production environment configs while developing and publishing my app (to IIS Server or Docker container)?

Any help would be really appreciated.

1 Answers1

18

1. About the environment

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/environments?view=aspnetcore-5.0

TLDR; You can get the environment from an environment variable or the launch settings file. The latter is only used for local development.

To determine the runtime environment, ASP.NET Core reads from the following environment variables:

DOTNET_ENVIRONMENT ASPNETCORE_ENVIRONMENT when ConfigureWebHostDefaults is called. The default ASP.NET Core web app templates call ConfigureWebHostDefaults. The ASPNETCORE_ENVIRONMENT value overrides DOTNET_ENVIRONMENT. IHostEnvironment.EnvironmentName can be set to any value, but the following values are provided by the framework:

Development : The launchSettings.json file sets ASPNETCORE_ENVIRONMENT to Development on the local machine

Staging

Production : The default if DOTNET_ENVIRONMENT and ASPNETCORE_ENVIRONMENT have not been set.

2. Settings filled

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/configuration/?view=aspnetcore-5.0

TLDR; You set the defaults and non changing values in the plain json and the overrides in the environment json, as you described.

The default JsonConfigurationProvider loads configuration in the following order:

  1. appsettings.json
  2. appsettings.Environment.json : For example, the appsettings.Production.json and appsettings.Development.json files.

The environment version of the file is loaded based on the IHostingEnvironment.EnvironmentName.

appsettings.Environment.json values override keys in appsettings.json.

3. Keep in mind

Secrets and passwords should not be stored for production environments in the configuration files.

Consider using services like key vault on azure or database encrypted configurations or build server variables that will override the environment specific secrets.

Athanasios Kataras
  • 25,191
  • 4
  • 32
  • 61
  • Many thanks, voted up. I need more clarification on the following issues: –  Feb 27 '21 at 11:56
  • **1.** I created a new `.NET Core` app, but there is only `DOTNET_ENVIRONMENT` variable in the `environmentVariables` section of `launchSettings.json`. Where is `ASPNETCORE_ENVIRONMENT` variable? –  Feb 27 '21 at 11:59
  • **2.** I searched on the project but there is neither `IHostingEnvironment` nor `IHostingEnvironment.EnvironmentName` in the project. On the other hand, could you please post an examples for `appsettings.json` using the connection strings above? What should it include and what should not? –  Feb 27 '21 at 12:03
  • **3.** Your suggestion on 3rd answer is very useful and important, thanks. But I always have a look at a proper way for keeping the secrets and passwords in my apps and finally I ended up the config files. Another option that I can use it database (I do not want to use `azure`). So, could you please clarify me what should I do in order to keep the secrets, etc. in the connection string above to keep database (I think it is the best option as I don't want to use azure)? But I am wondering if the keys are stored in dB, how can I access to that dB? By using a simple user who has READ privilage? –  Feb 27 '21 at 12:06
  • 1
    1. There isn't, you should define it – Athanasios Kataras Feb 27 '21 at 12:28
  • **1.** Where and how? Any example please (sorry I am really new in .NET Core)? –  Feb 27 '21 at 12:29
  • 1
    About 2. And 3. You can use ntlm authentication. https://stackoverflow.com/questions/46295932/ntlm-sql-connection-string for sql server. Depending on environment and db flavor, the solution could differ. – Athanasios Kataras Feb 27 '21 at 12:31
  • 1
    Examples about the first question here: https://stackoverflow.com/questions/41546943/how-to-set-aspnetcore-environment-to-be-considered-for-publishing-an-asp-net-cor – Athanasios Kataras Feb 27 '21 at 12:32
  • 2
    DOTNET_ENVIRONMENT replaces the Aspnet version and will work in both web and non web (console) scenarios. While the asp version will work for web apps only I suggest using the other version everywhere for standardization – pinkfloydx33 Feb 27 '21 at 15:56
  • 1
    Use azure keyvault, azure app configuration or some other secrets/config management system. NOTE that dotnet has several built in configuration providers (json files for example) and that there are many addon providers via nuget packages (azure keyvault, hashicorp vault, flat files, ini, custom settings retrieved from API, etc). The configuration system will layer these in the order the providers are added (last overwriting first). So you can have some base config in app.settings, env overrides in per-env json and then secrets from elsewhere that all coalesce into one configuration object – pinkfloydx33 Feb 27 '21 at 16:01
  • @AthanasiosKataras **1.** Which answer on the following page do you suggest? Because there are many different and unuseful answer there :( https://stackoverflow.com/questions/41546943/how-to-set-aspnetcore-environment-to-be-considered-for-publishing-an-asp-net-cor –  Feb 27 '21 at 17:23
  • @AthanasiosKataras for **2** and **3**, the answer is related to using Windows account, but I need an answer for keeping username and password in database or keep it encrypted in the appsetting.json file. What would you suggest for this? –  Feb 27 '21 at 17:27
  • @pinkfloydx33 Thanks a lot, as you suggest, I will use `DOTNET_ENVIRONMENT`. –  Feb 27 '21 at 17:29
  • @pinkfloydx33 Sorry, but I do not understand the other comment related to encryption of config. I just select a proper option e.g. keeping the secret and password of connectionString in database or just use it in the appsetting.json file as encrypted **without using an addon or azure**. Is that possible and what would you suggest? Any example reference please? –  Feb 27 '21 at 17:32
  • 1
    Well if you keep the password in the database, how are you going to connect to the database to retrieve it? Rule #1 should be don't hardcode secure values in source files/config files/source control. If you control the deployment process you can find a way to retrieve the secrets and write the config files at deployment time so that they include the secret only once deployed. If it's a server you own and nobody can access that's probably fine. What you do and how you do it will vary depending on your specific needs so it's hard to tell you exactly what to do. But we can tell you what not to do – pinkfloydx33 Feb 27 '21 at 18:00
  • @pinkfloydx33 What is the advantage (any advantage, even if silly or obsure) of using the less broad *ASPNETCORE_ENVIRONMENT* instead of *DOTNET_ENVIRONMENT*? I'm sure there are some cases since MS has made the distinction (and also applies it in the default templates). – Konrad Viltersten Jul 23 '23 at 11:42