App Settings config section from Azure Key Vault

Question

I'm implementing AAD authentication on a Net5 API with the new library Micorosft.Identity.Web The library exposes a method that only accepts an IConfiguration with a section that looks like below in the app.settings

Authentication method from Micorosft.Identity.Web on Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    ...
    services.AddMicrosoftIdentityWebApiAuthentication(Configuration, "AzureAd");
    ...
}

app.settings.json

"AzureAd": {
    "Domain": "contoso.com",
    "Instance": "https://login.microsoftonline.com/",
    "TenantId": "00000000-0000-0000-0000-000000000000",
    "ClientId": "00000000-0000-0000-0000-000000000000"
 },

Now, the problem is, I'm using Azure to deploy this API, and of course all of this sensitive values are stored in Key Vault. So, I want to find a way of doing this:

services.AddMicrosoftIdentityWebApiAuthentication(new Configuration {
    Domain   = KeyVaultClient.GetSecret("domain"),
    Instance = KeyVaultClient.GetSecret("instance")
    TenantId = KeyVaultClient.GetSecret("tenant")
    ClientId = KeyVaultClient.GetSecret("client")
});

And at the same time, I don't find a way of creating this 'section' at a KeyVault so I'm able of doing this

services.AddMicrosoftIdentityWebApiAuthentication(KeyVaultClient.GetSecret("azureadconfig"));

How can I archive one of these options, or how can I avoid depending on the app.settings if I have all my values on Key Vault

EDIT NOTE

I have the Key Vault as a Configuration Provider, but I don't know how to return those values in a Section way, as the methods is expecting

Just to confirm, if you are running in Azure App Services, use this: https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references — silent, Mar 04 '21 at 14:52
the problem is not getting the value from the Key Vault, the problem is the Key Vault getting that value as a 'section' of an IConfiguration — Aferrercrafter, Mar 04 '21 at 15:09
that doesnt answer my question. If you are running in App Services, all app settings are loaded into env vars for easy consumption - directly from the ENVs or via IConfiguration etc — silent, Mar 04 '21 at 15:18
I do have an azure app service, and I do have all those variables available with Key Vault as a Configuration Provider, the problem is not getting the values, I have easy access to all of them individually, but the method is expecting Section from the Configuration provider, so what I don't know is form this section from this individual values. — Aferrercrafter, Mar 04 '21 at 15:23
IIRC you can use double dashes in your secret names and .NET will treat those as sections. secretname: `Section--Itemname` — silent, Mar 04 '21 at 15:24
What I'm saying is, consider that I do have key vault references on the pipeline, from all those values, how would you pass those values into the method? the method is expecting a section, not individual values — Aferrercrafter, Mar 04 '21 at 15:25
@silent soo basically my head was missing that basic information of naming standard, I added the four values in that way and worked like a charm, it creates the section correctly — Aferrercrafter, Mar 04 '21 at 15:47

score 13 · Accepted Answer · answered Mar 04 '21 at 15:48

13

You can use double dashes in your Key Vault secret names and .NET will treat those as sections. secretname: Section--Itemname

answered Mar 04 '21 at 15:48

silent

14,494
4
46
86

2

Azure Developers needs to be aware about this, there's no mention about this anywhere. – abhijat_saxena Apr 08 '22 at 19:02
It's documented, but not immediately clear: "Create secrets in the key vault as name-value pairs. Azure Key Vault secret names are limited to alphanumeric characters and dashes. Hierarchical values (configuration sections) use -- (two dashes) as a delimiter, as colons aren't allowed in key vault secret names. Colons delimit a section from a subkey in ASP.NET Core configuration. The two-dash sequence is replaced with a colon when the secrets are loaded into the app's configuration." – ShellNinja Oct 05 '22 at 13:58
Use of `--` in Azure KeyVault for config values is mentioned here (https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-7.0#secret-storage-in-the-production-environment-with-azure-key-vault) at 5th point – Serhat May 02 '23 at 08:25

score 3 · Answer 2 · answered Mar 04 '21 at 14:50

3

First off, none of those values is exactly a secret. So they don't necessarily need to be in Key Vault.

But if you want them there anyway, you need to add the Key Vault as a configuration provider. Then Key Vault secrets will be available through IConfiguration like the settings from appsettings.json.

I wrote an article on the topic (using Managed Identity to connect to Key Vault too): https://joonasw.net/view/aspnet-core-azure-keyvault-msi.

answered Mar 04 '21 at 14:50

juunas

54,244
13
113
149

I have Key Vault as a configuration provider, but the function is expecting a 'section', how the key vault can return this section – Aferrercrafter Mar 04 '21 at 15:07
All settings in ASP.NET Core end up as single settings actually. If you have two env vars "Section__Setting1" and "Section__Setting2", it'll work the same as JSON `{ "Section": { "Setting1":"a","Setting2":"b" } }`. The JSON configuration provider just interprets objects as having the same key prefix. In Key Vault you add the settings as `Section--SettingName`. – juunas Mar 04 '21 at 15:57

App Settings config section from Azure Key Vault

2 Answers2