Securing PaaS – Migrating web.config settings to Azure Key Vault

Synopsis: In this exercise, attendees will learn how to migrate web application to utilize Azure Key Vault rather than storing valuable credentials (such as connection strings) in application configuration files.

Task 1: Create an Azure Key Vault secret

  1. From the extracted GitHub directory, open the \WebApp\FourthCoffeeAPI_KeyVault\FourthCoffeeAPI.sln solution.
  2. Switch to your Azure Portal.
  3. Select Key Vaults, then select your Azure Key Vault.
  4. Select Secrets, then select +Add.
  5. For the Upload Options, select Manual.
  6. For the Name, enter FourthCoffeeAPI.
  7. For the Value, copy the connection string information from the FourthCoffeeAPI solution web.config file on line 77:Line 77 in the web.config file displays with the connection string information selected.
  8. Select Create.
  9. Select Secrets.
  10. Select FourthCoffeeAPI.
  11. Select the current version.Under Version, the current version is selected.
  12. Copy and record the secret identifier URL for later use.

Task 2: Create an Azure Active Directory application

  1. Select Azure Active Directory, then select App Registrations.In the Azure Portal, Azure Active Directory and App registrations are both selected.
  2. Select +New application registration.
  3. For the name, enter AzureKeyVaultTest.
  4. For the Sign-on URL, enter http://localhost:12345Fields in the Create blade are set to the previously defined settings.
  5. Select Create.
  6. Select the new AzureKeyVaultTest application.
  7. Copy and record the Application ID for later use.
  8. Copy and record the Object ID for later use.The Application ID and Object ID are called out in the Registered app blade.
  9. Select Settings.
  10. Select Keys.
  11. For Description, enter FourthCoffeeAPI.
  12. For Expires, select In 1 year.
  13. Select Save.In the Passwords section, the Description, Expires, and Value columns display with the previously defined settings.
  14. Copy and record the key value for later use.

Task 3: Assign the new Application Azure Key Vault permissions

  1. Switch back to Azure Portal and select your Azure Key Vault.
  2. Select Access Policies.
  3. Select +Add New.In the Azure Key Vault blade, under Settings, Access policies is selected. The Add new button is also selected.
  4. Select Select principal, enter AzureKeyVaultTest.
  5. Select the application service principal, click Select.
  6. Select the Secret permissions drop down, check the Get and List permissions.The Select principal section displays with zero key permissions selected, 2 secret permissions, and zero certificate permissions selected.
  7. Select OK.
  8. Select Save.

Task 4: Install NuGet packages

  1. Switch to Visual Studio.
  2. In the menu, select View->Other Windows->Package Manager Console.In Visual Studio, the View and Other Windows menus display.
  3. In the new window that opens, run the following commands (NOTE that these already exist in the project but are provided as a reference).a. Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.16.204221202

    b. Install-Package Microsoft.Azure.KeyVault

  4. From Solution Explorer, double-select the web.config file to open it.
  5. Notice the appSettings section has some token values:In the web.config file, the app settings section is called out.
  6. Replace the values as follows:a. ClientId: Replace with the Application ID value copied in Task 2, Step 7. and C

    b. CllientSecret: Replace with the FourthCoffeeAPI Key values from copied in Task 2, Step 14.

    c. Replace the SecretUri: Replace with the Azure Key Vault secret key Uri from Task 1, Step 12.

  7. Save Web.config.

Task 5: Test the solution

  1. In the web.config, delete the connectionString from the file at line 78.
  2. Save the web.config file.
  3. Open the global.asax.cs file, place a break point at line 31.
  • NOTE: This code makes a call to get an accessToken as the application you setup above, then make a call to the Azure Key Vault using that accessToken.
  1. Run the solution, press F5.
  2. You should see that you execute a call to Azure Key Vault and get back the secret (which in this case is the connection string to the Azure Database).In the global.asax.cs file, the EncryptSecret = sec.Value line is called out.
  3. Press F5, and navigate to http://localhost:[PORT-NUMBERportno]/api/CustomerAccounts, you should see your data displayed.

About engsoon

Eng Soon is a 4-time Microsoft MVP and has nearly 5 years of experience building enterprise system in the cloud.He is also a Certified Microsoft Azure.Eng Soon also have strong technical skills and analytic skill. As a developer, Besides the development task, he also involved in Project Management, Consulting, and Marketing. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive. He also took part as speaker in many nationwide technical events, such as Conference, Meetup and Workshop. Currently, looking for opportunity in Cyber Security which include Cloud Security and Application Security.

View all posts by engsoon →

Leave a Reply

Your email address will not be published. Required fields are marked *