Azure Key Vault is a cloud service for securely storing and managing secrets, keys, and certificates. Below is a step-by-step guide to integrating Azure Key Vault with a .NET application.
1️⃣ Prerequisites
- ✔️ Azure Subscription: If you don’t have one, create a free account here.
- ✔️ Azure Key Vault: Create one via the Azure Portal or Azure CLI.
- ✔️ Azure.Identity NuGet Package: Install it in your .NET project:
Install-Package Azure.Identity
2️⃣ Creating an Azure Key Vault
Using Azure CLI
az login
az group create --name MyResourceGroup --location eastus
az keyvault create --name MyKeyVault --resource-group MyResourceGroup --location eastus
Replace MyKeyVault with your vault name.
3️⃣ Storing Secrets in Key Vault
Add a secret (e.g., database connection string):
az keyvault secret set --vault-name MyKeyVault --name "DbConnectionString" --value "YourDatabaseConnectionString"
4️⃣ Granting Access to the App
Use Managed Identity (recommended) or Service Principal to authenticate.
Grant access using Azure CLI
az keyvault set-policy --name MyKeyVault --object-id <YOUR_CLIENT_ID> --secret-permissions get list
- Replace <YOUR_CLIENT_ID> with your app's Managed Identity or Service Principal ID.
- This grants the app Get and List permissions.
5️⃣ Accessing Azure Key Vault from .NET
Setup Configuration in appsettings.json
{
"AzureKeyVault": {
"VaultUri": "https://MyKeyVault.vault.azure.net/"
}
}
6️⃣ Reading Secrets from Key Vault in .NET
Create a simple .NET app that retrieves secrets.
using System;
using System.Threading.Tasks;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Microsoft.Extensions.Configuration;
class Program
{
static async Task Main()
{
var config = new ConfigurationBuilder()
.AddJsonFile("appsettings.json")
.Build();
string vaultUri = config["AzureKeyVault:VaultUri"];
var client = new SecretClient(new Uri(vaultUri), new DefaultAzureCredential());
// Fetch secret
string secretName = "DbConnectionString";
KeyVaultSecret secret = await client.GetSecretAsync(secretName);
Console.WriteLine($"Retrieved Secret: {secret.Value}");
}
}
7️⃣ Explanation
- Loads configuration from appsettings.json.
- Uses DefaultAzureCredential (supports Managed Identity, Visual Studio authentication, etc.).
- Retrieves a secret from Azure Key Vault securely.
8️⃣ Authentication Methods
- Managed Identity (Recommended): Works best for Azure-hosted apps (App Service, VMs, etc.).
- Service Principal: Use ClientSecretCredential if running locally or in CI/CD pipelines.
- Interactive Login: Useful for development environments.
Example. Using ClientSecretCredential
var clientId = "YOUR_CLIENT_ID";
var clientSecret = "YOUR_CLIENT_SECRET";
var tenantId = "YOUR_TENANT_ID";
var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var client = new SecretClient(new Uri(vaultUri), credential);
9️⃣ Deploying to Azure
- Enable Managed Identity for the app.
- Set Key Vault access policies for the app.
- Deploy and test.
Summary
- ✔ Secure storage for secrets, keys, and certificates.
- ✔ Easy authentication with DefaultAzureCredential.
- ✔ Supports multiple authentication methods (Managed Identity, Service Principal).
- ✔ Integrates seamlessly with .NET applications.