How to read Azure KeyVault secrets using Managed Identity in .NET Framework 4.8 C#

Using Managed Identity to deploy azure resources is considered best practice as it reduces the overhead of keeping additional credentials (tokens/passwords) in config files. This article is about accessing Auzre KeyVault using Managed Identity. I am using .NET Framework 4.8 version for this tutorial.

Step 1 – Create KeyVault and secrets

First, just go to Azure Portal and create necessary secret values for testing. I would go with a “testkey” and a dummy value.

(I am assuming you know the basics of Azure Portal and knows how to create an azure resource such as KeyVault)

image

Also, please take a note of the “Vault URI” you can see in the “Overview” section. We would require it in the C# Code.

Step 2 – Create Sample .NET App

Next, open Visual Studio (I have used 2022) and start a new project. I have used a .NET Framework 4.8 Console Application.

Step 3 – Install necessary NuGet packages

We require two major packages for this project. Install these:

1. Azure.Identity
2. Azure.Security.KeyVault.Secrets

image

Step 4 – Coding!

This is the sample code I have used. Make sure to replace with your keyvault URL.

using System;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

namespace kvtest
{
     internal class Program
     {
         static void Main(string[] args)
         {
             SecretClient secretClient = new SecretClient(new Uri("https://your-keyvault.vault.azure.net/"), new DefaultAzureCredential());
             var secret = secretClient.GetSecret("testkey");
             Console.WriteLine(secret.Value.Value);

            Console.ReadKey();

        }
     }
}

Notice the “DefaultAzureCredential()”, which does the trick of our Managed Identity, without providing plain credentials here.

Step 4 – Login to Azure

If you “run” your app at this stage, you will end up getting an error like the one below. This is because, currently you do not have any connection between your laptop and azure portal. This application will work if you host this in Azure, in any resources like App Service but you cannot run this in your developer laptop/machine if you want to debug.

image

To make your app debug-able in your machine, you have to let Visual Studio login to Azure.

Go to Tools –> Options –> Azure Service Authentication

and, login to your account there.

image

Step 5 – Execute!

Now we are all set for building and running the app. Just hit F5!

image

What is Microsoft Cloud Adoption Framework?

Microsoft Cloud Adoption Framework is basically a collection of guidance, best practices, tools and techniques to be followed by various technology business and technology stakeholders in the organization  to make sure they build and maintain the best possible platform which ensures security, governance, scalability and other non functional requirements aspects.

While cloud adoption gives 80%+ of benefits compared to the traditional, or legacy on-premise data center infrastructure way of life, as a public platform, it also introduces few points of concerns to business leaderships such as Security. Years back when the cloud service platforms were initially introduced, the banking and other financial firms had trust issues because there were multiple levels of organizational hierarchy to be convinced and technical knowledge level is different from person to person. But today, it is not anymore an issue because we have multiple cloud providers in the market providing cutting edge solutions to solve each and every problem of the customer and no significant breaches were reported, and more importantly the cloud literacy level of people also rose.

Here is where the Cloud Adoption Framework plays its big role in helping people, process and the technology. It defines a clear and practical roadmap to the cloud that is foolproof and quick enough to give businesses the expected result and smooth transition.

Below are the main stages in the roadmap  as per Microsoft Cloud Adoption Framework:

image

  1. Define: We start the journey by defining a business case, followed by a cloud adoption strategy. We set our vision, key drivers, objectives, and justification inline with the organization vision and other aspects such as financial and technology parameters.  We set the expectations and document the need at this stage. The motivation for a cloud adoption decision could be because of upgrading technology, business expansion, cost, reducing complexity, operational efficiency, customer experience, faster time-to-market, or business agility.
  2. Plan: Create the cloud adoption plan. This is one crucial phase where we have to plan the communication model, security, monitoring etc. Cloud readiness and adoption plan will be crystal clear at this point. Most cases would require a platform/application/infrastructure assessment and gap analysis for effective planning, especially for enterprise level applications. It is recommended to have an incremental implementation approach for larger projects. Approaches taken for migration for each application or service could be different. Several approaches are in consideration such as Rehost (lift-and-shift), Refactor (like splitting functionality to multiple chunks for maintainability), Rearchitect (like converting monolith to microservices architecture for scalability), Rebuild (dump unused functionality/applications and build new), and Replace (discard the old applciation and make everything new). For the business continuity, you might also plan to have the coexistence of legacy and new platforms for a short/evaluation period, not just to evaluate the efficiency, but also to help the staff and customers a smooth transition.
  3. Ready: We set the stage, aka Landing Zones and prepare other cloud infrastructure dependencies here.  This phase also includes the validation of the architecture, and patterns & practices.  As part of the process, team will address the issues identified while gap analysis, prepare team (eg. by providing training), and establish mitigation/support options.
  4. Adopt: Action phase! We do the migration/modernization of platform and depended applications. We also may do the cloud native transformation if planned earlier. Migration to PaaS services or introducing DevOps/DecSecOps/DevSecTestOps can be in the scope.
  5. Govern & Manage: Time to set benchmarks, compliance, rules, protocols, risk tolerance levels, mitigation plans, monitor, audit, and manage. Governance & Manage are not really phases, but a continuous monitoring and improvement process.

Read more on the Microsoft Cloud Adoption journey here: