Azure Key Vault Secrets configuration provider for Microsoft.Extensions.Configuration

The Azure.Extensions.AspNetCore.Configuration.Secrets package allows storing configuration values using Azure Key Vault Secrets.

Getting started

Install the package

Install the package with NuGet:

dotnet add package Azure.Extensions.AspNetCore.Configuration.Secrets


You need an Azure subscription and Azure Key Vault to use this package.

To create a new Key Vault, you can use the Azure Portal, Azure PowerShell, or the Azure CLI. Here's an example using the Azure CLI:

az keyvault create --name MyVault --resource-group MyResourceGroup --location westus
az keyvault secret set --vault-name MyVault --name MySecret --value "hVFkk965BuUv"

Azure role-based access control

When using azure role-based access control, the identity you are authenticating has to have the "Key Vault Reader" and "Key Vault Secrets User" roles. The "Key Vault Reader" role allows the extension to list secrets while the "Key Vault Secrets User" allows retrieving their values.

az role assignment create --role "Key Vault Reader" --assignee {i.e} --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}
az role assignment create --role "Key Vault Secrets User" --assignee {i.e} --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}

Key concepts

Thread safety

We guarantee that all client instance methods are thread-safe and independent of each other (guideline). This ensures that the recommendation of reusing client instances is always safe, even across threads.

Additional concepts

Client options | Accessing the response | Long-running operations | Handling failures | Diagnostics | Mocking | Client lifetime


To load initialize configuration from Azure Key Vault secrets call the AddAzureKeyVault on ConfigurationBuilder:

ConfigurationBuilder builder = new ConfigurationBuilder();
builder.AddAzureKeyVault(new Uri("<Vault URI>"), new DefaultAzureCredential());

IConfiguration configuration = builder.Build();

The Azure Identity library provides easy Azure Active Directory support for authentication.

Next steps

Read more about configuration in ASP.NET Core.


This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact with any additional questions or comments.