Using secret store
As alternative to the usage of placing secrets into an IConfiguration
instance in your application, the Arcus.Security.Core
package provides a alternative concept called 'secret store'.
We provide an approach similar to how IConfiguration
is built, but with a focus on secrets. You can pick and choose the secret providers you want to use and we'll get the job done!
Once register, you can fetch all secrets by using ISecretProvider
which will get secrets from all the different registered secret providers.
๐ก See this section if you want to use the secret store functionality within Azure Functions.
#
Built-in secret providersSeveral built in secret providers available in the package.
If you require an additional secret providers that aren't available here, please this document that describes how you can create your own secret provider.
#
InstallationFor this feature, the following package needs to be installed:
PM > Install-Package Arcus.Security.Core
#
UsageThe secret stores are configured during the initial application build-up in the Program.cs
:
using Microsoft.Extensions.Hosting;
public class Program{ public static void Main(string[] args) { CreateHostBuilder(args).Build().Run(); }
public static IHostBuilder CreateHostBuilder(string[] args) => Host.CreateDefaultBuilder(args) .ConfigureAppConfiguration((context, config) => { config.AddJsonFile("appsettings.json") .AddJsonFile("appsettings.Development.json"); }) .ConfigureSecretStore((context, config, builder) => {#if DEBUG builder.AddConfiguration(config);#endif var keyVaultName = config["KeyVault_Name"]; builder.AddEnvironmentVariables() .AddAzureKeyVaultWithManagedServiceIdentity($"https://{keyVaultName}.vault.azure.net"); }) .ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>()); }}
Once the secret providers are defined, the ISecretProvider
can be used as any other registered service:
[ApiController]public class HealthController : ControllerBase{ public HealthController(ISecretProvider secretProvider) { }}
#
Using secret store within Azure Functions#
InstallationFor this feature, the following package needs to be installed:
PM > Install-Package Arcus.Security.AzureFunctions
#
UsageThe secret stores are configured during the initial application build-up in the Startup.cs
:
using Microsoft.Azure.Functions.Extensions.DependencyInjection;
[assembly: FunctionsStartup(typeof(Startup))]
namespace MyHttpAzureFunction{ public class Startup : FunctionsStartup { public override void Configure(IFunctionsHostBuilder builder) { builder.ConfigureSecretStore(stores => { stores.AddEnvironmentVariables();
var keyVaultName = config["KeyVault_Name"]; stores.AddEnvironmentVariables() .AddAzureKeyVaultWithManagedServiceIdentity($"https://{keyVaultName}.vault.azure.net"); }) } }}
Once the secret providers are defined, the ISecretProvider
can be used as any other registered service:
using Arcus.Security.Core;
namespace Application{ public class MyHttpTrigger { public MyHttpTrigger(ISecretProvider secretProvider) { }
[FunctionName("MyHttpTrigger")] public async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req, ILogger log) { return new OkObjectResult("Response from function with injected dependencies."); } }}