Using secret store
Arcus Security - Azure Security development in a breeze - Date: ?
Arcus Security - Azure Security development in a breeze - Date: ?
[SHOWTOGROUPS=4,20]
Using secret store
As alternative to the usage of placing secrets into an IConfiguration instance in your application, the Arcus.Security.Core package provides a alternative concept called ‘secret store’.
We provide an approach similar to how IConfiguration is built, but with a focus on secrets. You can pick and choose the secret providers you want to use and we’ll get the job done!
Once register, you can fetch all secrets by using ISecretProvider which will get secrets from all the different registered secret providers.
Installation
For this feature, the following package needs to be installed:
Usage
The secret stores are configured during the initial application build-up in the Program.cs:
Built-in secret providers
Several built in secret providers available in the package.
Environment variables secret provider
Environment variable secret provider brings environment variables as secrets to your application.
Installation
The environment variable secret provider is built-in as part of the package Arcus.Security.Core.
Configuration
The secret provider is available as an extension.
Configuration secret provider
Configuration secret provider brings you all registered configuration providers of .NET Core by using IConfiguration to your application.
The configuration secret provider is built-in as part of the package Arcus.Security.Core.
Configuration
Azure Key Vault secret provider
Azure Key Vault secret provider brings secrets from Azure Key Vault to your application.
Installation
Adding secrets from Azure Key Vault into the secret store requires following package:
Configuration
After installing the package, the addtional extensions becomes available when building the secret store.
[/SHOWTOGROUPS]
Using secret store
As alternative to the usage of placing secrets into an IConfiguration instance in your application, the Arcus.Security.Core package provides a alternative concept called ‘secret store’.
We provide an approach similar to how IConfiguration is built, but with a focus on secrets. You can pick and choose the secret providers you want to use and we’ll get the job done!
Once register, you can fetch all secrets by using ISecretProvider which will get secrets from all the different registered secret providers.
Installation
For this feature, the following package needs to be installed:
Код:
PM > Install-Package Arcus.Security.Core
Usage
The secret stores are configured during the initial application build-up in the Program.cs:
[core]
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
config.AddJsonFile("appsettings.json")
.AddJsonFile("appsettings.Development.json");
})
.ConfigureSecretStore((context, config, builder) =>
{
#if DEBUG
builder.AddConfiguration(config);
#endif
var keyVaultName = config["KeyVault_Name"];
builder.AddEnvironmentVariables()
.AddAzureKeyVaultWithManagedServiceIdentity($"https://{keyVaultName}.vault.azure.net");
})
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
}
}
Once the secret providers are defined, the ISecretProvider can be used as any other registered service:
[ApiController]
public class HealthController : ControllerBase
{
public HealthController(ISecretProvider secretProvider)
{
}
}
[/core]
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
config.AddJsonFile("appsettings.json")
.AddJsonFile("appsettings.Development.json");
})
.ConfigureSecretStore((context, config, builder) =>
{
#if DEBUG
builder.AddConfiguration(config);
#endif
var keyVaultName = config["KeyVault_Name"];
builder.AddEnvironmentVariables()
.AddAzureKeyVaultWithManagedServiceIdentity($"https://{keyVaultName}.vault.azure.net");
})
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
}
}
Once the secret providers are defined, the ISecretProvider can be used as any other registered service:
[ApiController]
public class HealthController : ControllerBase
{
public HealthController(ISecretProvider secretProvider)
{
}
}
[/core]
Built-in secret providers
Several built in secret providers available in the package.
- Environment variables
- Configuration
- Azure key vault
Environment variables secret provider
Environment variable secret provider brings environment variables as secrets to your application.
Installation
The environment variable secret provider is built-in as part of the package Arcus.Security.Core.
Configuration
The secret provider is available as an extension.
Код:
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args)
{
return Host.CreateDefaultBuilder(args)
.ConfigureSecretStore((context, config, builder) =>
{
builder.AddEnvironmentVariables();
})
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
}
}
Configuration secret provider
Configuration secret provider brings you all registered configuration providers of .NET Core by using IConfiguration to your application.
InstallationWhen using configuration secret provider, it will look for secrets in all configuration sources which is not secure. This provider should only be used for development.
The configuration secret provider is built-in as part of the package Arcus.Security.Core.
Configuration
Код:
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args)
{
return Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
config.AddJsonFile("appsettings.json")
.AddJsonFile("appsettings.Development.json");
})
.ConfigureSecretStore((HostBuilderContext context, IConfiguration config, SecretStoreBuilder builder) =>
{
#if DEBUG
builder.AddConfiguration(config);
#endif
});
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
}
}
Azure Key Vault secret provider
Azure Key Vault secret provider brings secrets from Azure Key Vault to your application.
Installation
Adding secrets from Azure Key Vault into the secret store requires following package:
Код:
PM > Install-Package Arcus.Security.Providers.AzureKeyVault
Configuration
After installing the package, the addtional extensions becomes available when building the secret store.
Код:
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args)
{
return Host.CreateDefaultBuilder(args)
.ConfigureSecretStore((context, config, builder) =>
{
// Adding the Azure Key Vault secret provider with the built-in overloads
builder.AddAzureKeyVaultWithManagedServiceIdentity(keyVaultUri);
// Several other built-in overloads are available too:
// `AddAzureKeyVaultWithServicePrincipal`
// `AddAzureKeyVaultWithCertificate`
// Or, alternatively using the fully customizable approach.
var vaultAuthentication = new ManagedServiceIdentityAuthentication();
var vaultConfiguration = new KeyVaultConfiguration(keyVaultUri);
builder.AddAzureKeyVault(vaultAuthentication, vaultConfiguration);
// Adding a default cached variant of the Azure Key Vault provider (default: 5 min caching).
builder.AddAzureKeyVaultWithManagedServiceIdentity(keyVaultUri, allowCaching: true);
// Assing a configurable cached variant of the Azure Key Vault provider.
var cacheConfiguration = new CacheConfiguration(TimeSpan.FromMinutes(1));
builder.AddAzureKeyVaultWithManagedServiceIdentity(keyVaultUri, cacheConfiguration);
})
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
}
}
Последнее редактирование: