How to get connection string out of Azure KeyVault?

c# azure security connection-string azure-keyvault
Ian Boyd picture Ian Boyd · May 1, 2017 · Viewed 31.1k times · Source

A hypothetical web-site currently connects using:

public SqlConnection CreateConnection()
{
   DbConnection connection = new SqlConnection();
   connection.ConnectionString = GetConnectionString();
   connection.Open();

   return connection;
}

Where the magical connection string is stored in web.config:

String GetConnectionString()
{
   //Get the connection string info from web.config
   ConnectionStringSettings cs = ConfigurationManager.ConnectionStrings["db"];

   if (cs == null)
      throw new Exception("Could not locate DB connection string");

   return cs.ConnectionString;
}

Now i'd like to move the connection string out of the web.config file into Azure KeyVault. How do you retrieve anything out of the Azure key vault?

String GetConnectionString()
{
   //Get the connection string info from Azure KeyVault
   String connectionString = GetAzureSecret("dbConnectionString");

   if (String.IsNullOrWhitespace(connectionString)
      throw new Exception.Create("Could not connection string of Azure Key Vault");

   return connectionString;
}

Except i just made up the easy-to-use Azure API. What is the actual api?

Untested attempt

string GetAzureSecret(string key)
{
    KeyVaultClient vault = new KeyVaultClient();
    vault.OnAuthenticate += VaultClientAuthenticate;

    var sec = await vault.GetSecretAsync(Key);
    return sec.Value;
}

public static async Task<string> VaultClientAuthenticate(string authority, string resource, string scope)
{
   String clientID = "8675209";
   String clientSecret = "correct battery horse pencil";

   var authContext = new AuthenticationContext(authority);
   ClientCredential clientCred = new ClientCredential(clientID, clientSecret);
   AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);

   if (result == null)
      throw new Exception("Could not acquire token");

   return result.AccessToken;
}

Bonus Reading

Answer

Tom Sun - MSFT picture Tom Sun - MSFT · May 2, 2017

What is the actual api?

We could use the GetSecret API to get value.

Preparation:

Registry Azure Active Directory application and assign Role

Steps:

1.Create KeyVault and add secret from Azure portal

enter image description here

2.Config Access policy

enter image description here

3.Get Access token

 var context = new AuthenticationContext("https://login.windows.net/" + tenantId);
            ClientCredential clientCredential = new ClientCredential(appId, secretKey);
            var tokenResponse =await context.AcquireTokenAsync("https://vault.azure.net", clientCredential);
            var accessToken = tokenResponse.AccessToken;
            return accessToken;

Note: The resource for Keyvault is https://vault.azure.net

4.Test with Fiddler

enter image description here

We also can do that easily with SDK:

1.Create a console project and a Utils.cs file

public static string EncryptSecret { get; set; }
        static string appId = "Application ID";
        static string secretKey = "Secert key";
        static string tenantId = "TenantId";

        public static async Task<string> GetAccessToken(string azureTenantId,string azureAppId,string azureSecretKey)
        {

            var context = new AuthenticationContext("https://login.windows.net/" + tenantId);
            ClientCredential clientCredential = new ClientCredential(appId, secretKey);
            var tokenResponse =await context.AcquireTokenAsync("https://vault.azure.net", clientCredential);
            var accessToken = tokenResponse.AccessToken;
            return accessToken;
        }

2.Add the follow code in the main function and test it.

enter image description here

packages.config file

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Hyak.Common" version="1.0.2" targetFramework="net452" />
  <package id="Microsoft.Azure.Common" version="2.0.4" targetFramework="net452" />
  <package id="Microsoft.Azure.Common.Dependencies" version="1.0.0" targetFramework="net452" />
  <package id="Microsoft.Azure.KeyVault" version="1.0.0" targetFramework="net452" />
  <package id="Microsoft.Bcl" version="1.1.9" targetFramework="net452" />
  <package id="Microsoft.Bcl.Async" version="1.0.168" targetFramework="net452" />
  <package id="Microsoft.Bcl.Build" version="1.0.14" targetFramework="net452" />
  <package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.13.9" targetFramework="net452" />
  <package id="Microsoft.Net.Http" version="2.2.22" targetFramework="net452" />
  <package id="Newtonsoft.Json" version="6.0.4" targetFramework="net452" />
</packages>

We also can get more information from CtrlDot mentioned document.

Related questions

What are the ways to secure Azure functions

I have written 5 Azure functions in Azure Portal using c#. Below are the steps to install my application:- Copy deployment scripts to the Edge node of the cluster Deployment scripts to do the following Call Azure functions to do …

Read More
Could not load file or assembly "System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

I've copied my project to a clean Windows 10 machine with only Visual Studio 2015 Community and SQL Server 2016 Express installed. There are no other framework versions installed apart from those installed with Windows 10 and VS2015 or SQL Server. When I try …

Read More
Microsoft Azure: How to create sub directory in a blob container

How to create a sub directory in a blob container for example, in my blob container http://veda.blob.core.windows.net/document/ If I store some files it will be http://veda.blob.core.windows.net/document/1.txt http://…

Read More