admin管理员组文章数量:1291125
I'm trying to follow a pattern that works perfectly in a .NET Azure Function App, but fails for me using a .NET Azure App Service, and that is to read values from Azure Vault into my Configuration.
What works in my Function App
I have added the following NuGet packages:
<PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.4.0" />
<PackageReference Include="Azure.Identity" Version="1.13.2" />
And in my host.settings.json file I have in the "Values" section:
"key" : "@Microsoft.KeyVault(SecretUri=https://{vaultName}.vault.azure/secrets/{secretName}/)"
So in my code when I call configuration["key"] I get the secret.
What doesn't work in my App Service
I add the same NuGet packages and set up my appsettings.Development.json in a similar manner.
I also add the following to my Program.cs file:
builder.AddSecretClient(new Uri(configuration.GetValue<string>("KeyVault:BaseUrl")!));
string env = configuration.GetValue<string>("DOTNET_ENVIRONMENT") ?? "Production";
DefaultAzureCredentialOptions options = env switch
{
"Development" => new()
{
ExcludeAzureCliCredential = true,
ExcludeAzureDeveloperCliCredential = true,
ExcludeAzurePowerShellCredential = true,
ExcludeEnvironmentCredential = true,
ExcludeInteractiveBrowserCredential = true,
ExcludeManagedIdentityCredential = true,
ExcludeSharedTokenCacheCredential = true,
ExcludeVisualStudioCodeCredential = true,
ExcludeVisualStudioCredential = false,
ExcludeWorkloadIdentityCredential = true,
},
_ => new()
{
ExcludeAzureCliCredential = true,
ExcludeAzureDeveloperCliCredential = true,
ExcludeAzurePowerShellCredential = true,
ExcludeEnvironmentCredential = true,
ExcludeInteractiveBrowserCredential = true,
ExcludeManagedIdentityCredential = false,
ExcludeSharedTokenCacheCredential = true,
ExcludeVisualStudioCodeCredential = true,
ExcludeVisualStudioCredential = true,
ExcludeWorkloadIdentityCredential = true,
}
};
builder.UseCredential(new DefaultAzureCredential(options));
I can programmatically retrieve my secrets from Azure Vault, so I know the above is functionally correct.
However, if I try to pull the value directly from the configuration (which works for my Function App) then I get the literal string back @Microsoft.KeyVault(SecretUri=.....).
I'm obviously missing something, just not sure what...
I'm trying to follow a pattern that works perfectly in a .NET Azure Function App, but fails for me using a .NET Azure App Service, and that is to read values from Azure Vault into my Configuration.
What works in my Function App
I have added the following NuGet packages:
<PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.4.0" />
<PackageReference Include="Azure.Identity" Version="1.13.2" />
And in my host.settings.json file I have in the "Values" section:
"key" : "@Microsoft.KeyVault(SecretUri=https://{vaultName}.vault.azure/secrets/{secretName}/)"
So in my code when I call configuration["key"] I get the secret.
What doesn't work in my App Service
I add the same NuGet packages and set up my appsettings.Development.json in a similar manner.
I also add the following to my Program.cs file:
builder.AddSecretClient(new Uri(configuration.GetValue<string>("KeyVault:BaseUrl")!));
string env = configuration.GetValue<string>("DOTNET_ENVIRONMENT") ?? "Production";
DefaultAzureCredentialOptions options = env switch
{
"Development" => new()
{
ExcludeAzureCliCredential = true,
ExcludeAzureDeveloperCliCredential = true,
ExcludeAzurePowerShellCredential = true,
ExcludeEnvironmentCredential = true,
ExcludeInteractiveBrowserCredential = true,
ExcludeManagedIdentityCredential = true,
ExcludeSharedTokenCacheCredential = true,
ExcludeVisualStudioCodeCredential = true,
ExcludeVisualStudioCredential = false,
ExcludeWorkloadIdentityCredential = true,
},
_ => new()
{
ExcludeAzureCliCredential = true,
ExcludeAzureDeveloperCliCredential = true,
ExcludeAzurePowerShellCredential = true,
ExcludeEnvironmentCredential = true,
ExcludeInteractiveBrowserCredential = true,
ExcludeManagedIdentityCredential = false,
ExcludeSharedTokenCacheCredential = true,
ExcludeVisualStudioCodeCredential = true,
ExcludeVisualStudioCredential = true,
ExcludeWorkloadIdentityCredential = true,
}
};
builder.UseCredential(new DefaultAzureCredential(options));
I can programmatically retrieve my secrets from Azure Vault, so I know the above is functionally correct.
However, if I try to pull the value directly from the configuration (which works for my Function App) then I get the literal string back @Microsoft.KeyVault(SecretUri=.....).
I'm obviously missing something, just not sure what...
Share Improve this question asked Feb 13 at 18:41 DrGriffDrGriff 4,9169 gold badges51 silver badges105 bronze badges 1 |1 Answer
Reset to default 0I created Azure App Service to retrieve the Secrets from Azure KeyVault.
When the app is deployed to Azure App Service, secrets should be stored in appsettings.json for production, not in appsettings.Development.json, which is used for development environments.
If you add KeyVault reference or secret to appsettings.json the app treats it as plain text and does not automatically resolve the Key Vault reference.
It works for Azure Functions because Functions natively supports Key Vault references in appsettings.json or host.settings.json.
For Azure App Service, define the Key Vault reference in the App Settings of the Azure Web App.
Azure Web App -> Environment variables -> App setting -> Add.
Name:SecretName
Value:@Microsoft.KeyVault(SecretUri=https://<AzureKeyVaultName>.vault.azure/secrets/<secretName>)
Azure Output:
本文标签: Retrieving secrets from Azure Vault in an Azure App Service (Visual Studio)Stack Overflow
版权声明:本文标题:Retrieving secrets from Azure Vault in an Azure App Service (Visual Studio) - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741510116a2382557.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
keyvaultreference in the Azure Environment Variable Section. – Aslesha Kantamsetti Commented Feb 14 at 4:46