We've selected our favorite tips and tricks created by Michael Crump and are delivering fresh technical content on Azure all April! Miss a day (or more)? Catch up with the series.
Don't have Azure? Grab a free subscription.
Preventing Leaked Secrets with .NET Core
I think almost everyone has committed a secret, key or password to git at some point in their development careers. I definitely have. And if you think you haven't, go double-check.
It sucks. And it's easy to do.
Azure's solution for secrets management is Azure Key Vault.
But what if you wanted to roll your own solution? We're engineers after all...
Rolling Your Own Secret Manager
Azure Key Vault is cheap but not completely free. And there is an overhead of learning the service. (Though I'd argue it's extremely simple.)
Secret Manager is a Microsoft solution for storing sensitive data during the development of an ASP.NET Core project.
Information is always stored in the user profile directory such as
%APPDATA%\microsoft\UserSecrets\<userSecretsId>\secrets.json
for Windows or
~/.microsoft/usersecrets/<userSecretsId>/secrets.json
for Mac/Linux.This means if other folks want to get your key store, they can target those directories b/c the JSON file is unencrypted. Not that my version is encrypted, it just isn’t stored in the user profile directory.
Preventing Problematic Pushes
If you work in .NET Core, you can prevent an accidental push of sensitive data to GitHub.
Step 1
Create a new .NET Core App in Visual Studio.
Step 2
Add a file called appSecrets.json
and define a couple of secrets that you don’t want released.
{
"ConnectionStrings": {
"BitlyAPI": "A_BITLY_API_KEY",
"StorageAccountAPI": "MY_STORAGE_ACCOUNT_KEY"
}
}
Step 3
Set the appSecrets.json
file to Copy if newer
inside of Visual Studio.
Step 4
Add the following NuGet packages that allow you to easily read a local JSON file (such as your appSecrets.json
) and extract key pieces of information:
- Microsoft.Extensions.Configuration
- Microsoft.Extensions.Configuration.FileExtensions
- Microsoft.Extensions.Configuration.Json
Step 5
Add the following code inside the Main method. This uses ConfigurationBuilder
and searches for the file.
var builder = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("appSecrets.json", optional: false, reloadOnChange: true);
IConfigurationRoot configuration = builder.Build();
You can now access the value of the string with the following:
configuration.GetConnectionString("StorageAccountAPI")
Step 6
Set your /.gitignore
to ignore the appSecrets.json
that you added.
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
appSecrets.json
You can verify this file is ignored by looking for the red circle if using Visual Studio.
Not too complicated. But! I really do recommend using Azure Key Vault as it's simple and can protect you across your entire software delivery lifecycle.
Want to read more on secrets in Azure? We've got you covered on everything keys, secrets and certificates.!
We'll be posting articles every day in April, so stay tuned or jump ahead and check out more tips and tricks now.
Top comments (0)