Share via

Read WebApp connection string credentials from Keyvault

Viswanathan Madhavan 0 Reputation points
2023-03-28T18:19:17.81+00:00

I have hosted an ASP.Net web form webapp in Azure. Right now the password of the backend DB is being exposed in the connection string. Is there a way to read it through Azure Keyvault ?

Please share your recommendations. Thanks in advance.

Azure SQL Database
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,291 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ajkuma 28,041 Reputation points Microsoft Employee
    2023-03-29T12:01:50.2166667+00:00

    @Viswanathan Madhavan ,

    Based on your issue description, you want to read WebApp connection string credentials from Keyvault, it is a recommended approach.

    I believe you have hosted the Azure WebApp on an Azure App Service, if you have provisioned your webapp on some other Azure service please let me know.

    Yes, you can use Azure Key Vault to store your database password and retrieve it in your web app. You can follow the steps in this tutorial to configure your Azure web app in an ASP.NET Core application to read a secret from your key vault.

    Here are the high-level steps you can follow:

    1.    Create an Azure Key Vault and store your database password as a secret in the key vault.

    2.    Grant your web app access to the key vault.

    3.    Modify your web app to access the key vault and retrieve the secret.

    Checkout this doc for more info: Tutorial: Use a managed identity to connect Key Vault to an Azure web app in .NET

    Additionally, In Azure App Service, app settings are used to store configuration values that are passed to your application as environment variables. You can use app settings to store a wide range of configuration values, such as database connection strings (in your case), API keys, and other secrets.  

    App settings can also be resolved from Key Vault using Key Vault references. See this doc section for more info: Configure app settings.

    Kindly let us know how it goes, we will follow-up with you further.

    1 person found this answer helpful.
    0 comments
  2. Sedat SALMAN 14,155 Reputation points MVP
    2023-03-28T18:28:57.1966667+00:00

    Yes, it is recommended to store sensitive data such as database connection strings, passwords, and keys in Azure Key Vault instead of hard-coding them in your application code or configuration files. Here are the high-level steps to accomplish this:

    1. Create an Azure Key Vault and grant your Azure web application permission to access it. You can do this in the Azure portal by creating an access policy and assigning it to your web application's service principal.
    2. Store the database password in Azure Key Vault as a secret. You can do this in the Azure portal or using Azure CLI or PowerShell.
    3. Modify your web application to read the database password from Azure Key Vault. You can use the Azure Key Vault client library for .NET to do this. Here is some sample code
    
var keyVaultClient = new KeyVaultClient(
    new KeyVaultClient.AuthenticationCallback(
        async (authority, resource, scope) =>
        {
            var authContext = new AuthenticationContext(authority);
            var credential = new ClientCredential(clientId, clientSecret);
            var result = await authContext.AcquireTokenAsync(resource, credential);

            if (result == null)
            {
                throw new InvalidOperationException("Failed to obtain the JWT token");
            }

            return result.AccessToken;
        }));

var secretUri = $"https://{keyVaultName}.vault.azure.net/secrets/{secretName}/{secretVersion}";
var secret = await keyVaultClient.GetSecretAsync(secretUri);
var connectionString = string.Format(connectionStringTemplate, secret.Value);

    In this code, keyVaultClient is an instance of the KeyVaultClient class from the Azure Key Vault client library. clientId and clientSecret are the client ID and client secret of the Azure AD application that has permission to access the Key Vault. secretName and secretVersion are the name and version of the secret that contains the database password.

    0 comments
  3. Brickman 0 Reputation points
    2023-11-16T17:28:16.9366667+00:00

    For Azure App Services You can modify the configuration for the app to add the connectionstring as the uri to the keyvault. Adding this as a task in the pipeline is also recommended. So the whole connection string is stored in the keyVault using "A-ConnectionString" for the key. Using @Microsoft.KeyVault(SecretUri=https://$(Some).vault.azure.net/secrets/$(A-ConnectionString)) for your value.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.