Consuming Azure Key Vault secrets
Store Azure Key vault secrets
The Azure Key vault secret provider provides the capability to also store secrets. This functionality is only available on the secret provider itself and not on the entire secret store.
Following steps guide you to store an Azure Key Vault secret via the Azure Key vault secret provider.
- Register the Azure Key Vault secret provider as a named secret provider.
stores.AddAzureKeyVaultWithManagedIdentity(..., name: "AzureKeyVault.ManagedIdentity");
- Retrieve the Azure Key Vault secret provider from the
ISecretStore
(see the named secret provider docs for info)ISecretStore secretStore = ...
var secretProvider = secretStore.GetProvider<KeyVaultSecretProvider>("AzureKeyVault.ManagedIdentity); - Store the secret by calling the
StoreSecretAsync
method.KeyVaultSecretProvider secretProvider = ...
await secretProvider.StoreSecretAsync("MySecret", "P@ssw0rd!);
Open for extension
You can easily extend the Key Vault provider by overriding the GetSecret*Async
methods on the it.
This useful to provide additional logging, for example, during the retrieval of the secrets.
using Microsoft.Extensions.Logging;
using Arcus.Security.Core;
using Arcus.Security.Providers.AzureKeyVault;
public class LoggedKeyVaultSecretProvider : KeyVaultSecretProvider
{
private readonly ILogger _logger;
public LoggedKeyVaultSecretProvider(ILogger<LoggedKeyVaultSecretProvider> logger)
{
_logger = logger;
}
public override async Task<Secret> GetSecretAsync(string secretName)
{
using (var measurement = DependencyMeasurement.Start())
{
Secret secret = await base.GetSecretAsync(secretName);
_logger.LogDependency("Azure Key Vault", "Secret", isSuccessful: true, startTime: measurement.StartTime, duration: measurement.Elapsed);
}
return secret;
}
}