Synopsis: In this exercise, attendees will learn how to migrate web application to utilize Azure Key Vault rather than storing valuable credentials (such as connection strings) in application configuration files.
Task 1: Create an Azure Key Vault secret
- From the extracted GitHub directory, open the \WebApp\FourthCoffeeAPI_KeyVault\FourthCoffeeAPI.sln solution.
- Switch to your Azure Portal.
- Select Key Vaults, then select your Azure Key Vault.
- Select Secrets, then select +Add.
- For the Upload Options, select Manual.
- For the Name, enter FourthCoffeeAPI.
- For the Value, copy the connection string information from the FourthCoffeeAPI solution web.config file on line 77:
- Select Create.
- Select Secrets.
- Select FourthCoffeeAPI.
- Select the current version.
- Copy and record the secret identifier URL for later use.
Task 2: Create an Azure Active Directory application
- Select Azure Active Directory, then select App Registrations.
- Select +New application registration.
- For the name, enter AzureKeyVaultTest.
- For the Sign-on URL, enter http://localhost:12345
- Select Create.
- Select the new AzureKeyVaultTest application.
- Copy and record the Application ID for later use.
- Copy and record the Object ID for later use.
- Select Settings.
- Select Keys.
- For Description, enter FourthCoffeeAPI.
- For Expires, select In 1 year.
- Select Save.
- Copy and record the key value for later use.
Task 3: Assign the new Application Azure Key Vault permissions
- Switch back to Azure Portal and select your Azure Key Vault.
- Select Access Policies.
- Select +Add New.
- Select Select principal, enter AzureKeyVaultTest.
- Select the application service principal, click Select.
- Select the Secret permissions drop down, check the Get and List permissions.
- Select OK.
- Select Save.
Task 4: Install NuGet packages
- Switch to Visual Studio.
- In the menu, select View->Other Windows->Package Manager Console.
- In the new window that opens, run the following commands (NOTE that these already exist in the project but are provided as a reference).a. Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.16.204221202
b. Install-Package Microsoft.Azure.KeyVault
- From Solution Explorer, double-select the web.config file to open it.
- Notice the appSettings section has some token values:
- Replace the values as follows:a. ClientId: Replace with the Application ID value copied in Task 2, Step 7. and C
b. CllientSecret: Replace with the FourthCoffeeAPI Key values from copied in Task 2, Step 14.
c. Replace the SecretUri: Replace with the Azure Key Vault secret key Uri from Task 1, Step 12.
- Save Web.config.
Task 5: Test the solution
- In the web.config, delete the connectionString from the file at line 78.
- Save the web.config file.
- Open the global.asax.cs file, place a break point at line 31.
- NOTE: This code makes a call to get an accessToken as the application you setup above, then make a call to the Azure Key Vault using that accessToken.
- Run the solution, press F5.
- You should see that you execute a call to Azure Key Vault and get back the secret (which in this case is the connection string to the Azure Database).
- Press F5, and navigate to http://localhost:[PORT-NUMBERportno]/api/CustomerAccounts, you should see your data displayed.