DEV Community

Cover image for Preventing Leaked Secrets in Azure
Emily Freeman for Microsoft Azure

Posted on

Preventing Leaked Secrets in Azure

We've selected our favorite tips and tricks created by Michael Crump and are delivering fresh technical content on Azure all April! Miss a day (or more)? Catch up with the series.

Don't have Azure? Grab a free subscription.


Preventing Leaked Secrets with .NET Core

I think almost everyone has committed a secret, key or password to git at some point in their development careers. I definitely have. And if you think you haven't, go double-check.

It sucks. And it's easy to do.

Azure's solution for secrets management is Azure Key Vault.

But what if you wanted to roll your own solution? We're engineers after all...

Rolling Your Own Secret Manager

Azure Key Vault is cheap but not completely free. And there is an overhead of learning the service. (Though I'd argue it's extremely simple.)

Secret Manager is a Microsoft solution for storing sensitive data during the development of an ASP.NET Core project.

Information is always stored in the user profile directory such as %APPDATA%\microsoft\UserSecrets\<userSecretsId>\secrets.json
for Windows or ~/.microsoft/usersecrets/<userSecretsId>/secrets.json for Mac/Linux.

This means if other folks want to get your key store, they can target those directories b/c the JSON file is unencrypted. Not that my version is encrypted, it just isn’t stored in the user profile directory.

Preventing Problematic Pushes

If you work in .NET Core, you can prevent an accidental push of sensitive data to GitHub.

Step 1

Create a new .NET Core App in Visual Studio.

Step 2

Add a file called appSecrets.json and define a couple of secrets that you don’t want released.

{
  "ConnectionStrings": {
    "BitlyAPI": "A_BITLY_API_KEY",
    "StorageAccountAPI": "MY_STORAGE_ACCOUNT_KEY"
  }
}
Enter fullscreen mode Exit fullscreen mode
Step 3

Set the appSecrets.json file to Copy if newer inside of Visual Studio.

copy if newer

Step 4

Add the following NuGet packages that allow you to easily read a local JSON file (such as your appSecrets.json) and extract key pieces of information:

  • Microsoft.Extensions.Configuration
  • Microsoft.Extensions.Configuration.FileExtensions
  • Microsoft.Extensions.Configuration.Json
Step 5

Add the following code inside the Main method. This uses ConfigurationBuilder and searches for the file.

var builder = new ConfigurationBuilder()
    .SetBasePath(Directory.GetCurrentDirectory())
    .AddJsonFile("appSecrets.json", optional: false, reloadOnChange: true);

IConfigurationRoot configuration = builder.Build();
Enter fullscreen mode Exit fullscreen mode

You can now access the value of the string with the following:

configuration.GetConnectionString("StorageAccountAPI")
Enter fullscreen mode Exit fullscreen mode
Step 6

Set your /.gitignore to ignore the appSecrets.json that you added.

## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.

appSecrets.json
Enter fullscreen mode Exit fullscreen mode

You can verify this file is ignored by looking for the red circle if using Visual Studio.

git ignore

visual studio verification

Not too complicated. But! I really do recommend using Azure Key Vault as it's simple and can protect you across your entire software delivery lifecycle.

Want to read more on secrets in Azure? We've got you covered on everything keys, secrets and certificates.!


We'll be posting articles every day in April, so stay tuned or jump ahead and check out more tips and tricks now.

Top comments (0)