How to Override Web.config values with Azure KeyVault in .NET Framework 4.7.1

Question

How can I implement Microsoft's Azure KeyVault in a ASP.NET Framework 4.7.1 WebForms application to override values in web.config with values from KeyVault? I do see references that we need a minimum version of .NET Framework 4.7.1 in order to do it but the examples Microsoft provides are for .NET Core. I have my configs as web.config files instead of appsettings.json. I also have Global.asax.cs files instead of Startup.cs and Program.cs.

score 5 · Answer 1 · edited Jul 04 '23 at 20:37

To implement Microsoft's Azure KeyVault in a ASP.NET Framework 4.7.1 WebForms application , first you need to create an Azure Key Vault.

You need to provide a resource group, unique name and location ,then click on Review + Create.
Can refer Steps to create Azure keyvault here>>(https://learn.microsoft.com/en-us/azure/key-vault/quick-create-portal)
Next select the Secrets blade and add your app settings and connection strings that can be accessed in web.config file . You can click on the Generate/Import button and choose the Upload options as Manual. Then configure your app settings and connection strings - keys and values to the Name and Value options. And keep other options as default.

Configuration builders in ASP.NET provide a way to modify and/or override the values coming from your configuration files (Web.config in the case of ASP.NET) by using different sources (environment variables, Key Vault, etc.).

Connecting to Azure Key Vault:

To connect to Azure Key Vault from Visual Studio, you need to right click on the project and select Add > Connected Service menu.
From the options, choose Secure Secrets with Azure Key Vault option.

Now you may need to sign in if not already signed in to your account and then select rquired key vault from the list.
And click on the Add button to add key vault reference to your application. This will add reference of the NuGet package Microsoft.Configuration.ConfigurationBuilders.Azure to the project.

Also it will add some configuration in the Web.Config file.

(OR)

In Solution Explorer, right-click on your project, and select Manage NuGet Packages. In the Browse tab, locate and install Microsoft.Configuration.ConfigurationBuilders.Azure

Open your web.config file, and write the following code:

a) Add configSections and configBuilders as below with your keyvault name

     <configSections>
        <section
            name="configBuilders"
            type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
            restartOnExternalChanges="false"
            requirePermission="false" />
     </configSections>
     <configBuilders>
        <builders>
        <add
                name="AzureKeyVault"
                vaultName="vaultname"
                type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=1.0.0.0, Culture=neutral"
                vaultUri="https://vaultname.vault.azure.net" />
        </builders>
     </configBuilders>

b) Find the appSettings tag, add an attribute configBuilders="AzureKeyVault", and add a line as below:


    <appSettings configBuilders="AzureKeyVault">
      <add key="webpages:Version" value="3.0.0.0" />
      <add key="webpages:Enabled" value="false" />
      <add key="ClientValidationEnabled" value="true" />
      <add key="UnobtrusiveJavaScriptEnabled" value="true" />
      <add key="TextAnalyticsKey" value="from key vault" />
    </appSettings>

    <connectionStrings configBuilders="AzureKeyVault">
      <add name="DefaultConnection" connectionString="from key vault" providerName="System.Data.SqlClient" />
      <add key="StorageConnectionString" value="from key vault" />
    </connectionStrings>

c) Edit the About method in HomeController.cs, to display the value for confirmation.

    public ActionResult About()
    {
        ViewBag.Message = "Key vault value = " + ConfigurationManager.AppSettings["TextAnalyticsKey"];
    }

This way you can connect and use Azure Key Vault in your classic ASP.NET MVC applications,if you’re application running is using .NET Framework 4.7 or later versions.

You can refer following documents for the detailed explaination of the same :

https://learn.microsoft.com/en-us/azure/key-vault/general/vs-key-vault-add-connected-service#added-references-for-aspnet-framework
https://dotnetthoughts.net/azure-key-vault-in-aspnet-mvc/ helps you how to connect and use Azure Key Vault in your ASP.NET MVC application.

Hello, Thanks for the information. However how will getting config setting from keyvault work when key name in `web.config` has a '.' character? Like so: ``. KeyVault does not support the period character so I have replaced with a dash character. Is there a way to transform the secret name coming from KeyVault so that it matches what is in `web.config`? — Bmoe, Jun 23 '21 at 15:15
Refer this link https://stackoverflow.com/questions/59098513/how-do-i-rename-all-secrets-in-an-azure-key-vault >Is this question similar to what you asked? — kavyaS, Jun 23 '21 at 15:49
Hi. I don't need to rename them in KeyVault. Need to rename them after I've fetched the secrets. I basically need an equivalent of the `KeyVaultSecretManager` like shown here: https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-3.1#use-a-key-name-prefix . Difference is, I need option to not pass a prefix and instead of `appsettings.json` I have a `web.config` file. — Bmoe, Jun 23 '21 at 17:37
So say in keyvault i have a secret named `DB-StorageConnectionString`. When I load that secret, i need the name transformed to `DB.StorageConnectionString` so that the key in my config file is found. — Bmoe, Jun 23 '21 at 17:39
you may want to take a look at this >>https://www.c-sharpcorner.com/article/integrating-azure-key-vaults-with-classic-asp-net-applications/ — kavyaS, Jun 24 '21 at 04:51
Thanks for the article. I may have missed it but where in the attached link does it show me to rename the secret as I have stated previously? — Bmoe, Jun 25 '21 at 02:14
@Bmoe: I only heard Azure Key Vault can't use colon as a separator (https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-5.0#bind-an-array-to-a-class), but I didn't know you can't use the dot. Where did you get that information? — David Liang, Oct 22 '21 at 18:53
By default Azure.Identity 1.1.1 is installed, which does not support Visual Studio Credential. You can update package reference manually to 1.2+ use Visual Studio Credential. Also, this line should be manually modified: — Deisbel R Diaz, Nov 01 '21 at 17:57

How to Override Web.config values with Azure KeyVault in .NET Framework 4.7.1

1 Answers1

Linked