This is a brief post about how we can leverage Azure Key Vault to keep sensitive items within our application configuration secure. These configurations include items such as database connection strings, client application keys, passphrases etc. Azure Key Vault is a robust solution. The full details on what Azure Key Vault (AKV) is and all the features included can be found here. What I am going to describe in this article is a small subset offered by AKV. Although its only a small subset it is one that is extremely important and useful when securing our web applications.
In this day an age, we hear frequently about data breaches. Take for example the Equifax or Yahoo data breaches. Every action we can take to lock down access to secure information is important and necessary, period. I would suggest that some of these data breaches were likely from internal sources. I can’t lay claim to that for sure but after being a developer for close to 20 years, its easy to see how its not only possible but how shockingly easy it is to access sensitive information. That is of course we have not take the necessary precautions in limiting access. Any access to data from unscrupulous internal actors is far more dangerous than getting hacked in my opinion. That being said, lets see how AKV can help us in that regard.
High level this is what we can achieve via AKV
- Keep the sensitive application configuration settings isolated from our applications and developers.
- Encrypt our sensitive information.
- Log any access to sensitive information within Azure Key Vault.
- Store our application secrets within Hardware Security Modules which are FIPS validated.
So How Do I Leverage Azure Key Vault with my .Net Core Web App?
We are going to complete the following steps to lock down our .Net Core Web App.
- Create a Azure Key Vault
- Add our configuration secrets to the AKV
- Lock down the Web App Service using a Managed Service Identity
- Access the configurations within AKV through source code and an MSI.
Create Azure Key Vault
Open your Azure portal and search for Azure Key Vault
Add Configurations To Azure Key Vault
Now that we have our Azure Key Vault, we can add client secrets into our AKV. To do that navigate to the AKV and select the Generate/Import Menu option.
Fill out the name and value of the configuration secret. This could be anything. A connection string, an access key etc.
Secure our Web Application using a Managed Service Identity
The next step is about setting up the ability for our web application to communicate with the Azure Key Vault. We are going to allow our web application to authenticate and leverage data within the AKV.
An important security aspect of our web application is that we want to keep various connection credentials secure. This means that credentials never appear on developers workstations and also that none of the credentials are checked into source control systems like git. By creating a Managed Service Identity for our web application, we can allow our web app to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in code. The managed identities for Azure resources feature is free with Azure AD for Azure subscriptions. There’s no additional cost. Lets see how this works.
First, select your web application from the web portal, navigate to the settings menu option, select and turn on system assigned identity.
So what have done here is given our web application a Managed Service Identity. We can use this identity within our Access Policies of the Azure Key Vault.
Assign Web App Managed Service Identity to Azure Key Vault
Next, navigate back to the Azure Key Vault, and select “Access Policies”, as shown below.
This will bring up a blade where we give our web application access to our AKV.
We allow our application to have get and list permissions on our AKV.
Once completed you should have something that looks like the following:
Teach Our Web App Code To Read From Azure Key Vault
The last step is changing code within our web application to be able to connect to AKV and read in any client secrets it may require. Luckily there is an extension already created to give us the the required plumbing code. To install this package locally use
Install-Package Microsoft.Azure.KeyVaultOnce we have this extension installed, we can connect to AKV to get the data in our secrets. Here is sample code on how to read a secret value from AKV
public async Task<string> GetValueFromAKV(string secret)
{
string secretValue = null;
int retries = 0;
bool retry = false;
try
{
/* The next four lines of code show you how to use AppAuthentication library to fetch secrets from your key vault*/
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secretBundle = await keyVaultClient.GetSecretAsync(“https://<YourKeyVaultName>.vault.azure.net/secrets/” + secret)
.ConfigureAwait(false);
secretValue = secretBundle.Value;
/* The following *do while* logic is to handle throttling errors thrown by Azure Key Vault. It shows how to do exponential backoff, which is the recommended client side throttling*/
do
{
long waitTime = Math.Min(getWaitTime(retries), 2000000);
secretBundle = await keyVaultClient.GetSecretAsync(“https://<YourKeyVaultName>.vault.azure.net/secrets/” + secret)
.ConfigureAwait(false);
retry = false;
}
while (retry && (retries++ < 10));
}
/// <exception cref=”KeyVaultErrorException”>
/// Thrown when the operation returned an invalid status code
/// </exception>
catch (KeyVaultErrorException keyVaultException)
{
if ((int)keyVaultException.Response.StatusCode == 429)
retry = true;
}
return secretValue;
}
// This method implements exponential backoff if there are 429 errors from Azure Key Vault
private static long getWaitTime(int retryCount)
{
long waitTime = ((long)Math.Pow(2, retryCount) * 100L);
return waitTime;
}
Summary
The use of Azure Key Vault is a nice way to keep our client configuration settings outside of our applications. It ensures key values are not stored either developer machines or git repositories. In this article we conveyed
- How to set up an Azure Key Vault.
- How to add client secrets to Azure Key Vault
- How to create a Manager Service Identity (MSI) for a web applciation
- How to provide access into AKV for a MSI
- Sample code on how to connect to AKV from c# code.