Integrate an ASP.NET Core Web App with Azure Key Vault

Mike Pfeiffer on December, 31, 2019

In this guided hands-on lab I walk you through integrating an Azure Key Vault resource with an ASP.NET Core web app running in Azure App Service.

You don't need to be a developer to follow along with this lab!

Here's what we'll be doing in this video:

  • Create Key Vault Resource
  • Add Secrets to the Key Vault
  • Provision Web App Infrastructure
  • Create a Managed Service Identity
  • Build an ASP.NET Core Web App
  • Deploy and Validate the Web App

This lab is designed for both developers and operations engineers who are looking to gain more hands-on practice with Azure. I hope you enjoy it!

Full Transcript:

Mike Pfeiffer:
So the first thing we want to do here for this lab is build a Key Vault resource here in the Azure cloud. So what I’ll do is go to create a new resource in the portal and I’m going to search for Key Vault. Now obviously we could build this resource through code, but I want to be able to explain some of the basics of the Key Vault. And this is easier to do when you can see what’s going on. So the first thing we need to do is put this Key Vault resource in a resource group. So what I’ll do is I’ll create a new resource group and we’re going to give this a name and we’ll say this is our Key Vault resource for the development environment, so I’ll use this naming convention here, Key Vault Dev RG, say okay to that. And then we need to give the Vault a name and you’ll notice here on this informational icon that the vault name must contain alphanumeric characters and dashes and it cannot start with a number.

Mike Pfeiffer:
The reason for that is the vault name is going to be part of the host name, the public DNS host name, so we can work with the REST API for Key Vault and what we’re going to do here is just kind of follow a naming convention. I’ll use CS as kind of like an indicator. That’s my company, CloudSkills, as kind of the first part of this and then we’ll say this is a Key Vault resource for our development environment -001. So that makes it completely unique in terms of global DNS. And then what I’ll do here is I’ll just put this Key Vault resource in close proximity to where I’m at.

Mike Pfeiffer:
Finally, the pricing tier is standard. That’s what we’re going to go with. The premium version of course you pay more money. That gives you the ability to use HSM backed keys. HSM is hardware security modules and so the idea what that is that you’re encrypting your keys and your secrets in the vault using a hardware module to do that encryption. We’re just going to go with standard because that’s going to give us the security that we need. And in terms of an access policy, if we click next here, my accounts, the owner of this Azure account is going to be the person that has full control for now. Later on I’ll show you how to delegate access to your application to this resource. That’s all we need to do. Let’s go ahead and review and create [inaudible 00:01:46] our validation to make sure that we didn’t mess anything up. That looks good. Let’s go ahead and create this resource, and this’ll take just a second. So let’s give this thing time to run.

Mike Pfeiffer:
Okay, and about 60 seconds later I now have a Key Vault resource, so I’m going to head over to this resource just to take a look and everything looks good. We can see that we’ve got a DNS name here. That’s what we use in our code to interact with the Key Vault resource. Let’s move to the next video and I’ll show you how to add a secret into this Key Vault. So far we’ve got our Key Vault infrastructure set up and ready to go and all we need to do is start adding secrets in here that we could work with in our application code. So I’m going to go over to secrets on the left hand side. I’m going to generate or imports and this upload option is going to be manual. What we’re going to do here is manually provide the secret name and the value.

Mike Pfeiffer:
We can also put certificates here in the Key Vault as well, but let’s do it and do this. Let’s say that this is going to be some kind of secret we’re going to use in our application. It’s going to be a password. So we’ll say this is my password, that’s the name of the secret and then the value of course is going to be some kind of super-secret value. I’m just going to type in something like password 01. And so obviously this value is something that we want to keep out of the plain text of our source code. We don’t want this password going into version control and we want to be able to change the password without recompiling our code. So leveraging this secret from the vaults will do all those things for us. Let’s go ahead and create this secret. And then what we can do here is programmatically access this as a test and we can just do this from the cloud shell. So if we hit the icon up here, it’s going to bring up the cloud shell.

Mike Pfeiffer:
We’re going to maximize this so we can see what’s going on in here. And then let’s make sure that the font is a little bit larger. And now that we’re in here, we can start issuing commands to work with any Azure service. So let me clear the screen and let’s run a AZ Key Vault with minus H to get the help. So you can see that when you run the AZ Key Vault command, there’s subcommands and there’s these other commands here, like if we wanted to create a Key Vault or delete one, what we want to work with is subgroups, we want to work with the secret subcommand here. So using the help flag or the minus H flag gives us the ability to see how to work with the command line tool here and how to work with the specific commands that we’re going to need. And since we know that there is a secret subcommand shown there, let’s try this, let’s do a clear, and we’ll arrow back up and we’ll say let’s do help on that subcommand.

Mike Pfeiffer:
So when we run AZ Key Vault secret, what’s the syntax from there? So now we can see that the secrets subcommand also has commands. Like we could do backups, we could delete, we can list out everything that’s out there and then we could show a specified secrets from a given Key Vault. So that’s kind of interesting. Let’s clear the screen. Let’s take another look here. We’ll do some help on the show command that sits underneath the secret subcommand. And then you can see like the arguments that we’re going to need to supply. So we need to supply the ID of the secret that we’re looking for, or the name, and then we need to specify the vault name. And so that’s a great part about the CLI is you can literally just kind of step your way through all of these commands to figure out the syntax.

Mike Pfeiffer:
But reading the help here, I should be able to do this. I should be able to up arrow to my previous command. Let’s get rid of the minus H and then we’ll do a dash in, like they’re saying here in the help, or the name of the secret, which was my password. And then the vault name, which is CS-KV-dev-001. So let’s go ahead and hit enter on that command and you can see that I get back a response. And down here in the value property of this JSON object, you can see that I’ve got my super sophisticated and secure password that was retrieved from the vault. So again, cool thing with this is that I could change this password in the vault and my code can just go out and ask for the current value of my password.

Mike Pfeiffer:
So now that we’ve seen how to create the Key Vault resource, we understand how to work with the secrets a little bit, let’s move to the next video. We need to deploy some web application infrastructure that we’re going to use the test all of this out. Let’s go ahead and build the web app infrastructure that we’re going to need to support this hands-on lab. So in the Azure portal, let’s go over to app services and we’ll build a brand new app service. So we’re going to need an app service plan and a web app resource running on top of that. And let’s go ahead and put this in a new resource group as well. So we’ll separate our Key Vault resources from our web app resources. So for our resource group, we’ll say this as far web apps for development. And just like with the Key Vault, we need to specify a unique host name under, in this case, azurewebsites.net. So the application itself needs a unique name. So I’m going to use my company code.

Mike Pfeiffer:
So it’s going to be webapp-001 for the development environment. And so that looks good. And moving down the list here for the runtime stack, I’m going to go ahead and pick .NET Core 2.2, we’ll do Windows here. And then for the region I’m going to hit the dropdown and I’m going to pick West US 2 to stay consistent. And then down here this is going to build the app service plan for me. Now notice that it’s giving this thing kind of a crazy name. Let me click on this, create new. And so in here I’ll follow the same kind of naming patterns. So I’ll do my company code. This is going to be the app service plan for development -001 and that looks good. And probably what I want to do here is follow the same kind of convention.

Mike Pfeiffer:
I should’ve done this, and this actually doesn’t really matter. I’m just trying to stay consistent. So no matter what you do just make sure that you have a consistent naming convention for your resources in Azure documentation. They fully tell you everything that you should think about in terms of naming your resources. But beyond that, checking out the skew size here for this app service plan, the infrastructure that’s powering our code, you can see it’s a standard S1 and that’s basically the minimum app service plan type that we want for a production application. It’s probably a little bit heavy-handed for this lab, but this will give us the capabilities to do some interesting things. So let’s go ahead and stick with that. And then hitting next here, I’m just going to turn off monitoring for now. So let’s go ahead and review and create this web application resource, so build our first web app and app service plan.

Mike Pfeiffer:
Then of course we could stack more web applications on top of the app service plan that’s going to get built as part of this process. But this should only take a minute or so. So let’s let this run and then we’ll check out one more thing before we move on to the next step. Okay, and after a couple of seconds here, you can see the deployment has succeeded and let’s head over to this web application resource. And we should see up here on the top right of eventually, there it is, we see the URL for the web application. So we can click that URL, go off, take a look. Everything is working so far. So we’ve got our web application infrastructure, we’ve got our Key Vault infrastructure. The next step in this lab is to make sure that app service can actually talk to the Key Vault infrastructure. Let’s move on to the next video and we’ll set that up.

Mike Pfeiffer:
So let’s take a look at the resources we deployed so far. So looking in my resource groups, this original resource group was just for the cloud shell. This one here of course is for my Key Vault infrastructure. If we take a look in here, you can see we’ve got one resource, that’s the Key Vault. And then going back, taking a look at the web apps resource group, we’ve got an app service plan and then the web application resource that’s running on top of that app service plan. So the big question is, how do we get to the app service environment permissions to talk to the Key Vault? And one of the easiest ways to do this… There’s actually a couple of different ways we could do this, but one of the easiest ways is to go into the web application properties and set up something called a managed service identity.

Mike Pfeiffer:
So you’ll see this under settings in here in your web application properties. So notice here that it says a system assigned managed identity enables Azure resources to authenticate the cloud services like the Key Vault without storing credentials in code. So this is going to give us essentially like a service account. So we’ll turn this on, click on save and say yes and then we can delegate permissions to this managed identity to access the Key Vault. Then our application can run under that security context. And again, we have nothing hard coded in our application code. So now that that built a resource, a managed identity resource that’s now registered with Azure AD, we could go to the Key Vault. Let’s go back to resource groups, head into the Key Vault, and inside the Key Vault we could go to access policies under settings. So this is where we would set up the permissions.

Mike Pfeiffer:
So right now as the account owner, I’m the only person that can work with the Key Vault. So let’s add an access policy. We’ll go ahead and configure from a template and all we want to do is work with secrets. We want to be able to pull secret values out of the Key Vault. We’re not working with encryption keys or anything like that, just secrets. And then taking a look here, when you’re using the secret management template, it’s going to turn on all these options. Now one of the things we want to do in the cloud, and really in IT anywhere, is implement the principle of least privilege. So if my application simply needs to be able to retrieve a secret and its value, I don’t need to turn on all these other things like changing it, deleting the value or deleting the key itself, doing these backup recoveries. We just want get and list. That’s all the application needs to do in this scenario.

Mike Pfeiffer:
Now the last piece to this access policy is picking the security principle that’s going to have access. So if we come in here and start looking around, we could browse for it, but I can also type in the first couple characters. Remember I called my web app CS web app dev 001. So this is the managed identity, basically the service account that was generated for the web application when we created the managed service identity. And this is going to be the way that we add capabilities and permissions to that application to access the Key Vault. So last critical piece to this step here, notice you’ve got to click the save button. Seems obvious, but sometimes that’s an easy thing to miss and everything’s good. So now that all of our infrastructure is in place, we’ve got everything we need.

Mike Pfeiffer:
Let’s go to the next step and we’ll set up an application that we can eventually deploy here into Azure. Let’s take a look at this .NET Core web application that we’re going to use to test out Key Vault integration with ASP.NET Core. So here in GitHub under the Azure samples accounts, there is this repository called key-vault-dotnet-core-quickstart. There’s going to be a link to this just below this video on a page where you’re watching this video. But if you want, you can always just Google for this. This is the public repository and this is an open source sample project built by Microsoft. So we’re going to use this code and what we’re going to do here is click the cloner download button. We’re going to get the clone URL to work with this repository.

Mike Pfeiffer:
So on my Mac, now that I’ve got that, I’m going to head over here to the terminal. I’m going to start in an empty folder and I’m going to do a get clone on that repository. So after we clone that, we’ll take a look. We can switch into the Key Vault folder here and inside that folder you can see that we’ve got a solution with a couple of different projects. There’s one here, this is basically a console application. This is the web application project. So let’s go ahead and switch into the Key Vault folder there and then we’ll clear the screen so we can see what we’re working with here. And so we do a listing. This is just an ASP.NET Core Razor Pages web application. And so let’s open this in Visual Studio code. So I’ll type code and then a space and then a period for the current folder. And then when this comes up, it asks us to restore our dependencies and all of our required assets. So let’s click on that to restore.

Mike Pfeiffer:
Now that we’ve got that set up, let’s go ahead and close this and let’s take a look at this startup file for this application. So here in startup.cs everything looks pretty normal here. We’ve got our configure method, nothing fancy going on in here. We’ve got NVC supports. But if we take a look at program.cs and take a look at the static build web host method here, you can see that as we’re setting up the application, we’re basically injecting the configuration for Azure Key Vault. And so one of the things we first need to do for this code, and I’ll talk a little bit about this here, is we need to plug it in the Key Vault URL or the host name here for the Key Vault resource that we’ve got. So to refresh your memory, going back over the portal, remember that I called mine CS-KV-dev-001. And again navigating to the resource and looking at the DNS [day and 00:13:38] that’s really what we’re looking for here and this is going to obviously tell the application how to work with our Key Vault resource.

Mike Pfeiffer:
So I’m just going to update this. And then of course that’s going to be a static method that’s going to return the Key Vault URL and that’s actually being used here as we’re configuring the host for the application here. Now the key to making this work is when you’re running the AD Azure Key Vault method, we’re passing in the inpoint, so the URL and then an instance of the Key Vault client. As you can see here that we’re creating a new Key Vault client, we’re setting up this callback, and this is going to basically power and be the way that the managed service identity is able to authenticate to the Key Vault. Typically when you’re doing an AD Azure Key Vault here, you provide the inpoints. And if you were using a callback like this and a managed service identity, you would also provide the username and password as parameters.

Mike Pfeiffer:
But we’re not going to need that because we’re doing a managed service identity. So that looks good. So I’m going to save that. And then I’m going to go into the pages and look at the about view. And you’ll notice here that they’re rendering some information when somebody goes to the about page. If we look at the code for this, we can see that we’re using ASP.NET Core configuration to get a secret on line 23 here out of the Key Vault. So my secret was actually called my password. So I’m going to update that here. And this is one of the things that’s insanely cool about .NET core, because when you work with ASP.NET Core configuration, you can get values out of app settings in Azure app service. And in this case obviously we’re going to be working with Key Vault values. So this is insanely cool. So this looks good, everything is saved, everything’s been updated, and now what we could do is deploy this application into Azure and we’ll take a look at that step in the next video in this lab.

Mike Pfeiffer:
So when it comes to deploying this sample application, if you’re using Visual Studio, you can just publish right out of Visual Studio. I’m going to publish here inside Visual Studio code. Over on the left hand side you can see that we’ve got the Azure icon here. I’ve got the app service extensions all installed, I’m signed into Azure, you could see down here. If you’re setting all this up for the first time, you could go to the command palette and then you could actually type in here Azure, sign into the Azure cloud. Basically what’ll happen is a browser will open up, you’ll need to type in a code to authenticate, and then you’ll be connected. So I’ve already done that and you can see that now that I’m on this Azure icon, I’ve got the app service extension and I could just go deploy this application.

Mike Pfeiffer:
So when I click on deploy, I can pick a folder that I’m in or I can also browse. This was the code folder that we’re working with, so that looks good. Let’s click on select. Go and click on add config here. And then what we’re going to do is we’re going to deploy to an existing web app. So the one that I built a couple of steps ago, CS web app dev 001. So we’ll go ahead and say yes, we’re going to deploy, we’re going to overwrite whatever is there, and then we’ll just go ahead and tell Visual Studio code, “Yeah, we’re going to always deploy to that resource.” So let’s give this a second to deploy and then we’ll take a look at what happens next.

Mike Pfeiffer:
All right, and after a minute or so, you could see down on the bottom rights it says the deployment was complete and now we can browse to the website. So let’s click on browse, open this link and here we see this basic web application interface. And remember, if we go to the about page, we’re supposed to see the value and there we go. We actually see password 2001 and of course the application was able to do this because the managed service identity was used by ASP.NET Core configuration to go out and get that value out of the Key Vault. Now this isn’t the only way for you to integrate ASP.NET Core with Azure Key Vault. There’s actually something called Key Vault references, an app service that could be leveraged and that’s in preview right now and we’ll take a look at that in a later lab. Let’s move to the last clip in this hands-on lab and we’ll clean up the environment.

Mike Pfeiffer:
Now that we’ve completed the lab, the last thing that we need to do is go in and clean up all the resources. So if you’re using the cloud shell, you might not want to delete your resource group that contains the storage for your cloud shell, as you might need that again. But we’re going to go ahead and delete both resource groups. So we’ll delete the one for the Key Vault. And then what we’ll do is delete the one for the web apps. So this’ll nuke everything that’s in there, the web apps, the app service plan, all that kind of stuff. So it looks good. And now we’ve got a delete firing off of those and now we’ve cleaned up the environment. So that brings us to the end of this hands-on lab of integrating an ASP.NET Core web application with the Azure Key Vault.

Weekly Updates Delivered to Your Inbox

Subscribe to CloudSkills Weekly and get access to exclusive training, updates on industry trends, and advice to amplify your cloud career.