Articles Using secret store by Arcus Security Team

emailx45

Местный
Регистрация
5 Май 2008
Сообщения
3,571
Реакции
2,439
Credits
574
Using secret store
Arcus Security - Azure Security development in a breeze - Date: ?
[SHOWTOGROUPS=4,20]
Using secret store
As alternative to the usage of placing secrets into an IConfiguration instance in your application, the Arcus.Security.Core package provides a alternative concept called ‘secret store’.

We provide an approach similar to how IConfiguration is built, but with a focus on secrets. You can pick and choose the secret providers you want to use and we’ll get the job done!

Once register, you can fetch all secrets by using ISecretProvider which will get secrets from all the different registered secret providers.

Installation
For this feature, the following package needs to be installed:

Код:
PM > Install-Package Arcus.Security.Core

Usage
The secret stores are configured during the initial application build-up in the Program.cs:

[core]
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}

public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
config.AddJsonFile("appsettings.json")
.AddJsonFile("appsettings.Development.json");
})
.ConfigureSecretStore((context, config, builder) =>
{
#if DEBUG
builder.AddConfiguration(config);
#endif
var keyVaultName = config["KeyVault_Name"];
builder.AddEnvironmentVariables()
.AddAzureKeyVaultWithManagedServiceIdentity($"https://{keyVaultName}.vault.azure.net");
})
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
}
}

Once the secret providers are defined, the ISecretProvider can be used as any other registered service:

[ApiController]
public class HealthController : ControllerBase
{
public HealthController(ISecretProvider secretProvider)
{
}
}
[/core]

Built-in secret providers
Several built in secret providers available in the package.
  • Environment variables
  • Configuration
  • Azure key vault

Environment variables secret provider
Environment variable secret provider brings environment variables as secrets to your application.

Installation
The environment variable secret provider is built-in as part of the package Arcus.Security.Core.

Configuration
The secret provider is available as an extension.
Код:
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}

public static IHostBuilder CreateHostBuilder(string[] args)
{
return Host.CreateDefaultBuilder(args)
.ConfigureSecretStore((context, config, builder) =>
{
builder.AddEnvironmentVariables();
})
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
}
}

Configuration secret provider
Configuration secret provider brings you all registered configuration providers of .NET Core by using IConfiguration to your application.

:warning:
When using configuration secret provider, it will look for secrets in all configuration sources which is not secure. This provider should only be used for development.
Installation
The configuration secret provider is built-in as part of the package Arcus.Security.Core.

Configuration
Код:
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}

public static IHostBuilder CreateHostBuilder(string[] args)
{
return Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
config.AddJsonFile("appsettings.json")
.AddJsonFile("appsettings.Development.json");
})
.ConfigureSecretStore((HostBuilderContext context, IConfiguration config, SecretStoreBuilder builder) =>
{
#if DEBUG
builder.AddConfiguration(config);
#endif
});
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
}
}

Azure Key Vault secret provider
Azure Key Vault secret provider brings secrets from Azure Key Vault to your application.

Installation
Adding secrets from Azure Key Vault into the secret store requires following package:
Код:
PM > Install-Package Arcus.Security.Providers.AzureKeyVault

Configuration
After installing the package, the addtional extensions becomes available when building the secret store.
Код:
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}

public static IHostBuilder CreateHostBuilder(string[] args)
{
return Host.CreateDefaultBuilder(args)
.ConfigureSecretStore((context, config, builder) =>
{
// Adding the Azure Key Vault secret provider with the built-in overloads
builder.AddAzureKeyVaultWithManagedServiceIdentity(keyVaultUri);

// Several other built-in overloads are available too:
// `AddAzureKeyVaultWithServicePrincipal`
// `AddAzureKeyVaultWithCertificate`

// Or, alternatively using the fully customizable approach.
var vaultAuthentication = new ManagedServiceIdentityAuthentication();
var vaultConfiguration = new KeyVaultConfiguration(keyVaultUri);

builder.AddAzureKeyVault(vaultAuthentication, vaultConfiguration);

// Adding a default cached variant of the Azure Key Vault provider (default: 5 min caching).
builder.AddAzureKeyVaultWithManagedServiceIdentity(keyVaultUri, allowCaching: true);

// Assing a configurable cached variant of the Azure Key Vault provider.
var cacheConfiguration = new CacheConfiguration(TimeSpan.FromMinutes(1));
builder.AddAzureKeyVaultWithManagedServiceIdentity(keyVaultUri, cacheConfiguration);
})
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
}
}
[/SHOWTOGROUPS]
 
Последнее редактирование: