Azure Key Vault Integration in .NET Core: End-to-End Guide

Securely Managing Secrets, Keys, and Certificates in Your .NET Core Applications

In modern cloud applications, managing sensitive information such as API keys, connection strings, and certificates securely is a top priority. Hardcoding secrets in configuration files or source code can expose applications to security risks. Azure Key Vault provides a secure and centralized way to store and manage secrets, encryption keys, and certificates.

In this blog, we’ll cover:

• What Azure Key Vault is and why it is needed.
• How to set up and configure Azure Key Vault.
• How to integrate Azure Key Vault in a .NET Core application with a step-by-step example.

📌Explore more at: https://dotnet-fullstack-dev.blogspot.com/
🌟 Clapping would be appreciated! 🚀

What is Azure Key Vault?

Azure Key Vault is a cloud service that provides:

• Secrets Management: Securely store sensitive information (e.g., API keys, connection strings).
• Key Management: Manage encryption keys for cryptographic operations.
• Certificate Management: Store and manage SSL/TLS certificates.

Why Use Azure Key Vault?

✅ Enhanced Security — Eliminates the need to store secrets in code.
✅ Centralized Management — Single place to manage and access credentials.
✅ Access Control — Supports Azure RBAC and managed identities.
✅ Auditing & Monitoring — Logs access to secrets for security auditing.

Setting Up Azure Key Vault

Step 1: Create an Azure Key Vault

1. Sign in to Azure Portal.
2. Navigate to Key Vaults → Click Create.
3. Provide the following details:

• Subscription: Select your Azure subscription.
• Resource Group: Create or select an existing resource group.
• Key Vault Name: Provide a unique name.
• Region: Select the closest region.

Click Review + Create, then Create.

Step 2: Add a Secret to the Key Vault

1. Go to the Key Vault you just created.
2. Click on Secrets → Generate/Import.
3. Enter a name (e.g., DbConnectionString).
4. Enter a value (e.g., Server=myserver;Database=mydb;User Id=admin;Password=SecurePass123).
5. Click Create.

Step 3: Configure Access Permissions

1. Navigate to Access Policies → Click Add Access Policy.
2. Select Get and List under Secret permissions.
3. Choose Select Principal → Search for your app’s identity (or use your Azure account).
4. Click Add, then Save.

Integrating Azure Key Vault with .NET Core

Step 1: Install Required NuGet Packages

Run the following command to install the required Key Vault packages:

dotnet add package Azure.Security.KeyVault.Secrets
dotnet add package Azure.Identity

Step 2: Configure Azure Key Vault in appsettings.json

Modify your appsettings.json to store the Key Vault URI.

{
  "AzureKeyVault": {
    "VaultUri": "https://your-key-vault-name.vault.azure.net/"
  }
}

Step 3: Load Secrets from Azure Key Vault in .NET Core

Modify your Program.cs file:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Microsoft.Extensions.Configuration;

var builder = WebApplication.CreateBuilder(args);

// Load Key Vault Configuration
var keyVaultUrl = builder.Configuration["AzureKeyVault:VaultUri"];

if (!string.IsNullOrEmpty(keyVaultUrl))
{
    var credential = new DefaultAzureCredential();
    builder.Configuration.AddAzureKeyVault(new Uri(keyVaultUrl), credential);
}

var app = builder.Build();

app.MapGet("/", async (IConfiguration config) =>
{
    var secretClient = new SecretClient(new Uri(config["AzureKeyVault:VaultUri"]), new DefaultAzureCredential());
    var secret = await secretClient.GetSecretAsync("DbConnectionString");
    return $"Retrieved Secret: {secret.Value.Value}";
});

app.Run();

Step 4: Authenticate Using Managed Identity (Recommended)

For production environments, use Managed Identity instead of manually handling credentials.

Enable Managed Identity for your App Service:

• Navigate to Azure App Service → Identity.
• Enable System Assigned Identity.

Grant Access to Key Vault:

• In Azure Key Vault, go to Access Policies.
• Assign Get and List permissions for the managed identity.

Modify Authentication Code:

var credential = new DefaultAzureCredential();

Testing the Integration

Run your application:

dotnet run

Open your browser and go to:

http://localhost:5000/

You should see:

Retrieved Secret: Server=myserver;Database=mydb;User Id=admin;Password=SecurePass123

Best Practices for Azure Key Vault Integration

✅ Use Managed Identity — Avoid storing credentials in code.
✅ Limit Access — Use Role-Based Access Control (RBAC) for fine-grained permissions.
✅ Enable Logging — Monitor access using Azure Monitor.
✅ Rotate Secrets — Implement automatic secret rotation.
✅ Use Caching — Reduce Key Vault API calls by caching secrets in-memory.

Conclusion

Azure Key Vault is a powerful tool that helps you securely store and access sensitive information in your .NET Core applications. By integrating Key Vault with .NET Core, you ensure that your secrets remain protected while simplifying credential management.

By following this end-to-end guide, you can:

• Store and retrieve secrets securely.
• Integrate Key Vault seamlessly with .NET Core.
• Follow best practices for cloud security.

Have you used Azure Key Vault in your applications? Let us know your experience in the comments! 🚀