From a security perspective, storing your application secrets in Azure Key Vault is always a good solution. This could be a connection string or other keys.

This article tells you how to configure your application so it is ready to use a Key Vault.

Depending on your hosting situation there are a few approaches to incorporating Azure Key Vault into your application.

1. Install Key Vault via Nuget (for most Hosting scenarios)

2. Use Key Vault references for Azure App Service (For Azure Web App Hosting)

Install Key Vault via Nuget

Before you begin, you need to install the Azure.Extensions.AspNetCore.Configuration.Secrets and the Azure.Identity NuGet packages. There are two approaches to installing the packages:

1. Use your favorite Integrated Development Environment (IDE) and open up the NuGet Package Manager to search and install the packages

2. Use the command line to install the package

Installing through command line

Navigate to your project folder, which is the folder that contains your .csproj file. Now use the following dotnet add package command to install the packages:

dotnet add package Azure.Extensions.AspNetCore.Configuration.Secrets
dotnet add package Azure.Identity

Configuration

The next step is to add the Azure Key Vault endpoint to the appsettings.json file (or create as an Environment Variable). You can add this endpoint in the root or anywhere in the appsettings.json as long as it is resolved in the ConfigureAppConfiguration method.

{
  "AzureKeyVaultEndpoint": "https://{your-key-vault-name}.vault.azure.net",
}

After adding the endpoint in the appsettings, it's time to add configuration so that the KeyVault is used. One way to achieve this is to write an extension method for the WebApplicationBuilder:

using System;
using Azure.Identity;
using Microsoft.AspNetCore.Builder;
using Microsoft.Extensions.Configuration;
using Umbraco.Cms.Core.DependencyInjection;
using Umbraco.Extensions;

namespace My.Website;

public static class WebApplicationBuilderExtensions
{
	public static WebApplicationBuilder ConfigureKeyVault(this WebApplicationBuilder builder)
	{
		var keyVaultEndpoint = builder.Configuration["AzureKeyVaultEndpoint"];
		if (!string.IsNullOrWhiteSpace(keyVaultEndpoint) && Uri.TryCreate(keyVaultEndpoint, UriKind.Absolute, out var validUri))
		{
			builder.Configuration.AddAzureKeyVault(validUri, new DefaultAzureCredential());
		}

		return builder;
	}
}

After creating the extension method, it's possible to call it from the Program.cs class, like so:

using Microsoft.AspNetCore.Builder;
using My.Project;
using Umbraco.Cms.Core.DependencyInjection;
using Umbraco.Extensions;

WebApplicationBuilder builder = WebApplication.CreateBuilder(args);

builder.ConfigureKeyVault();

builder.CreateUmbracoBuilder()
    .AddBackOffice()
    .AddWebsite()
    .AddDeliveryApi()
    .AddComposers()
    .Build();

WebApplication app = builder.Build();

await app.BootUmbracoAsync();

app.UseUmbraco()
    .WithMiddleware(u =>
    {
        u.UseBackOffice();
        u.UseWebsite();
    })
    .WithEndpoints(u =>
    {
        u.UseInstallerEndpoints();
        u.UseBackOfficeEndpoints();
        u.UseWebsiteEndpoints();
    });

await app.RunAsync();

Authentication

There are different ways to access the Azure Key Vault. It is important that the user you are logging in with has access to the Key Vault. You can assign roles using the Azure Portal.

1. Navigate to your Key Vault.

2. Select Access Control.

3. Select Add -> Add role assignment.

4. Select the preferred role.

5. Search for the user.

6. Click review + assign

Use Key Vault references for Azure App Service

Azure Web Apps offers the ability to directly reference Key Vault secrets as App Settings. The benefit of this is you can securely store your secrets in Key Vault without any code changes required in your application.

Create a System Assigned Managed Identity

To begin we first need to create a Managed Identity for the Azure Web App. This enables us to grant granular permissions to an identity representing the Web App.

Head over to your Azure Web App and find Identity under Settings:

Under System assigned change the Status from Off to On.

A GUID will then be generated called Object (principal) ID. Take note of this ID as we will need it further on.

Update your Key Vault Access Policy

It is assumed you already have a Key Vault set up with a few Umbraco secrets inside. In your Key Vault head to Access Policies.

At the top select + Create. We are now going to add the System Managed Identity for the Web App to Key Vault.

You will now be presented with different permissions to set for your Web App. You only need Get and List for Secret Permissions only. Click Next to continue:

Enter the GUID you took note of earlier, into the Search Box. You will see your Web App listed.

Click your Web App to Select and click Next and then Create:

If you visit the Access Policies section again you should now see your web app in the list and its permissions:

Link our Key Vault Secret to an Azure Web App

In your Azure Web App head to Configuration under Settings.

Here we can add App Settings and Connection Strings to the environment.

1. Let us start off with the Umbraco Database Connection String.

Under Connection Strings, select Advanced Edit.

Once you click on "Advanced Edit" a new window will open up. There you will need to paste in the following JSON Object inside the square brackets. Ensure you update {keyvault-name}, {secret-name} and {version-id}.

{
    "name": "umbracoDbDSN",
    "value": "@Microsoft.KeyVault(SecretUri=https://{keyvault-name}.vault.azure.net/secrets/{secret-name}/{version-id}/)",
    "type": "Custom",
    "slotSetting": false
}

The ID is optional but recommended as it enables you to control which version of the secret is used at your discretion. Leave it out if you always want the Web App to pull the latest version of the secret.

Wait a moment and refresh the screen. You should see a Green tick. If you do not have a Green tick you need to review your Access Policies in the previous step.

2. We will perform the same approach for our App Settings. We will be updating the following App Settings for Azure Blob Storage.

"Umbraco": {
    "Storage": {
      "AzureBlob": {
        "Media": {
          "ConnectionString": "",
          "ContainerName": ""
        }
      }
    }

Due to the secrets being nested we need to use double underscore __ to correctly reference the value on our Web App.

On the Web App select Advanced Edit for Application Settings:

When clicking on "Advanced Edit", a new window will open up. There you will need to paste in the following JSON Objects inside the square brackets. Ensure you update {keyvault-name}, {secret-name} and {version-id}.

{
    "name": "Umbraco__Storage__AzureBlob__Media__ConnectionString",
    "value": "@Microsoft.KeyVault(SecretUri=https://{keyvault-name}.vault.azure.net/secrets/{secret-name}/{version-id}/)",
    "slotSetting": false
},
{
    "name": "Umbraco__Storage__AzureBlob__Media__ContainerName",
    "value": "@Microsoft.KeyVault(SecretUri=https://{keyvault-name}.vault.azure.net/secrets/{secret-name}/{version-id}/)",
    "slotSetting": false
}

The ID is optional but recommended as it enables you to control which version of the secret is used at your discretion. Leave it out if you always want the Web App to pull the latest version of the secret.

Wait a moment and refresh the screen. You should see Green ticks for both values. If you do not have a Green tick you need to review your Access Policies in the previous step.

Local Development

1. Sign in to Visual Studio using the credentials that can access the Key Vault.

2. Use Azure CLI to store your preferred account into the credential cache.

Staging/Production

1. Managed identities for Azure resources

2. X.509 certificate for non-Azure-hosted apps

3. Use Key Vault references for App Service and Azure Functions