//GetSettingFromKeyVault public static string GetValueFomKeyVault(string Key) { var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken)); string keyVaultURL = GetValue(Key); var connStr = (kv.GetSecretAsync(keyVaultURL)).GetAwaiter().GetResult().Value; string s = connStr.ToString(); return s; }
static void KeyVaultSecretsDemo() { // Use Key for authorization AccessToken var keyVaultClient = new KeyVaultClient(GetAccessToken, new HttpClient()); // Use Certificate for authorization AccessToken // var keyVaultClient = new KeyVaultClient(GetAccessCertificateToken, new HttpClient()); var keyVaultAddress = ConfigurationManager.AppSettings["VaultUrl"]; // Get connection string without password var connectionString = keyVaultClient.GetSecretAsync(keyVaultAddress, "ConnectionStringsWilco").GetAwaiter().GetResult(); var builder = new SqlConnectionStringBuilder(connectionString.Value); // Get password var password = keyVaultClient.GetSecretAsync(keyVaultAddress, "SqlPasswordWilco").GetAwaiter().GetResult(); // Convert password to SecureString. 'password.Value' object still keeps it in plain text. Hopefuly this is the only reference. // The reason to keep password out of connection string is to minimize number of it's instances in managed heap. var securePassword = new SecureString(); foreach (char c in password.Value) { securePassword.AppendChar(c); } securePassword.MakeReadOnly(); // Allow GC to collect it password = null; // Keep connection in SqlCredential. When connection goes to pool or paged to disk credentials are not exposed. var credentials = new SqlCredential(builder.UserID, securePassword); builder.UserID = string.Empty; // Need to clen up user id as SqlCredential won't attach to sql connection // Put connection string and credentials in cache. We don't want to fetch connection string each time from KV. // Remove callback policy is designed to dispose objects. In case of SecureString it should be packed with '0'oz. MemoryCache.Default.Add("ConnectionStringsWilco", builder.ConnectionString, new CacheItemPolicy { RemovedCallback = DisposePolicyRemovedCallback }); MemoryCache.Default.Add("SqlCredentialsWilco", credentials, new CacheItemPolicy { RemovedCallback = DisposePolicyRemovedCallback }); BusinessOperation(); Console.ReadLine(); }
protected void Application_Start() { AreaRegistration.RegisterAllAreas(); GlobalConfiguration.Configure(WebApiConfig.Register); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); try { // I put my GetToken method in a Utils class. Change for wherever you placed your method. var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(AuthHelper.GetToken)); var cosmosConnectionString = kv.GetSecretAsync(WebConfigurationManager.AppSettings["raven-cosmosdb-connectionstring"]).GetAwaiter().GetResult(); var cosmosKey = kv.GetSecretAsync(WebConfigurationManager.AppSettings["raven-cosmosdb-key"]).GetAwaiter().GetResult(); //I put a variable in a Utils class to hold the secret for general application use. AuthHelper.CosmosConnectionString = cosmosConnectionString.Value; AuthHelper.CosmosKey = cosmosKey.Value; } catch (Exception e) { Console.WriteLine(e.Message); } }
public async Task <X509Certificate2> GetCertificateAsync(string keyVaultAddress, string certificateName) { var tokenProvider = new AzureServiceTokenProvider(); using (var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(tokenProvider.KeyVaultTokenCallback))) { var secretBundle = await client.GetSecretAsync(keyVaultAddress, certificateName); var privateKeyBytes = Convert.FromBase64String(secretBundle.Value); var cert = new X509Certificate2(privateKeyBytes, (string)null, X509KeyStorageFlags.MachineKeySet); return(cert); } }
private async Task <SearchIndexClient> CreateSearchIndexClientAsync(string indexName) { string searchServiceName = ConfigurationManager.AppSettings["ServiceName"]; //string queryApiKey = ConfigurationManager.AppSettings["SearchApiKey"]; var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(SimpleAzureSearch.Utils.TokenObtainer.GetToken)); var queryApiKeySecret = await kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]); string queryApiKey = queryApiKeySecret.Value; SearchIndexClient indexClient = new SearchIndexClient(searchServiceName, indexName, new SearchCredentials(queryApiKey)); return(indexClient); }
private async Task <X509Certificate2> GetCertificateAsync() { var azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secret = await keyVaultClient.GetSecretAsync("https://evoting-keys.vault.azure.net/secrets/certificate-base64/d471eebb69b94aae967136e6b2d37b82").ConfigureAwait(false); var pfxBase64 = secret.Value; var bytes = Convert.FromBase64String(pfxBase64); var coll = new X509Certificate2Collection(); coll.Import(bytes, "QEk5$s2PrRcZrj4xHb", X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet); return(coll[0]); }
private async Task GitSetupAsync() { AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); SecretBundle secretBundle = await keyVaultClient.GetSecretAsync(_secretUri).ConfigureAwait(false); var productInformation = new ProductHeaderValue("MLGitHubLabeler"); _client = new GitHubClient(productInformation) { Credentials = new Credentials(secretBundle.Value) }; }
public static async Task <string> GetSecret(string KeyVaultName, string secretName) { //string token = KeyVaultHelper.getToken(); AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); //For Microsoft Azure Government Key Vaults, use the following URL: *.vault.usgovcloudapi.net //var secret = await keyVaultClient.GetSecretAsync($"https://{KeyVaultName}.vault.usgovcloudapi.net/secrets/{secretName}"); var secret = await keyVaultClient.GetSecretAsync($"https://{KeyVaultName}.vault.azure.net/secrets/{secretName}"); return(secret.Value); }
public async Task <string> GetSecret(string key) { string url = "https://abootkakv.vault.azure.net/secrets/"; url = url + key; // Create KeyVaultClient with vault credentials var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAzureKeyVaultAccessToken)); // Get a SAS token for our storage from Key Vault var sasToken = await kv.GetSecretAsync(url); return(sasToken.Value); }
public void Configuration(IAppBuilder app) { var azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient(async(authority, resource, scope) => await azureServiceTokenProvider.GetAccessTokenAsync(resource)); var secret = keyVaultClient.GetSecretAsync("https://veracitydevdaydemo.vault.azure.net/", "Veracity1--ClientSecret").Result; var subscriptionKey = keyVaultClient .GetSecretAsync("https://veracitydevdaydemo.vault.azure.net/", "Veracity--SubscriptionKey").Result; app.UseCookieAuthentication(new CookieAuthenticationOptions { CookieName = "a.c" }); //set auth cookie app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); //set default auth type //configure veracity auth app.UseVeracityAuthentication(new TokenProviderConfiguration { ClientSecret = secret.Value, SubscriptionKey = subscriptionKey.Value }) //Add Azure Ad B2C authentication and access token cache .UseTokenCache(CacheFactoryFunc); //add access token cache and set cache strategy }
static void Main(string[] args) { var secretUri = "https://intellipatvault.vault.azure.net/secrets/ConnectionString"; //KeyVaultClient client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken)); //var secret = client.GetSecretAsync(secretUri).ConfigureAwait(false).GetAwaiter().GetResult(); var azureServiceTokenProvider = new AzureServiceTokenProvider(); var client1 = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secret1 = client1.GetSecretAsync(secretUri).ConfigureAwait(false).GetAwaiter().GetResult(); Console.WriteLine(secret1.Value); //GetAccessToken().GetAwaiter().GetResult(); }
private async Task <SecretBundle> GetDBHost(KeyVaultClient vaultClient) { Console.WriteLine("Get Host Secret"); try { return(await vaultClient.GetSecretAsync("https://polyportdemo.vault.azure.net/secrets/cosmosDBHostname/bbdd4312f4ec4cd0ba8c380991a81a61") .ConfigureAwait(false)); } catch (KeyVaultErrorException keyVaultException) { Console.WriteLine(keyVaultException.Message); return(null); } }
public static async Task <string> GetKeyVaultSecret(string KeyVaultClientId, string KeyVaultClientSecret, string keyVaultSecret) { KeyVaultClient keyClient = new KeyVaultClient(async(authority, resource, scope) => { var adCredential = new ClientCredential(KeyVaultClientId, KeyVaultClientSecret); var authenticationContext = new AuthenticationContext(authority, null); return((await authenticationContext.AcquireTokenAsync(resource, adCredential)).AccessToken); }); var secret = await keyClient.GetSecretAsync("https://biztalktoazurepoc.vault.azure.net/" + "secrets/" + keyVaultSecret); return(secret.Value); }
public async Task <string> GetSecretAsync(string secretName) { if (string.IsNullOrEmpty(secretName)) { throw new ArgumentNullException("secretName"); } string fixedSecretName = FixSecretName(secretName); var secret = await _keyVaultClient.GetSecretAsync(_keyVaultUrl, fixedSecretName).ConfigureAwait(false); return(secret.Value); }
private async Task <X509Certificate2> GetCertificateAsync(string identitifier, KeyVaultClient keyVaultClient) { var certificateVersionBundle = await keyVaultClient.GetCertificateAsync(identitifier); var certificatePrivateKeySecretBundle = await keyVaultClient.GetSecretAsync(certificateVersionBundle.SecretIdentifier.Identifier); var privateKeyBytes = Convert.FromBase64String(certificatePrivateKeySecretBundle.Value); var certificateWithPrivateKey = new X509Certificate2(privateKeyBytes, (string)null, X509KeyStorageFlags.MachineKeySet); return(certificateWithPrivateKey); }
public static string GetKeyVaultSecretValue(string ExtCertKey, TraceWriter log) { // This is the part where I grab the secret. var azureServiceTokenProvider = new AzureServiceTokenProvider(); using (var keyClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback))) { string keyVaultSecretUri = string.Format("https://{0}.vault.azure.net/secrets/{1}/", Helpers.GetEnvironmentVariable("KeyVaultName"), ExtCertKey); string secretvalue = keyClient.GetSecretAsync(keyVaultSecretUri).Result.Value; log.Info("Get the value from Key Vault: " + keyVaultSecretUri); return(secretvalue); } }
/// <summary> /// Load configuration from environment properties and keyvault /// </summary> /// <returns>Task of async operation</returns> public async Task LoadConfigurationAsync() { // this value is set by ARM deployment script this.FrontDoorHostName = Environment.GetEnvironmentVariable(this.FrontDoorHostNameKeyName); if (this.FrontDoorHostName == null) { throw new Exception($"Function config does not have {this.FrontDoorHostNameKeyName} value"); } // All keyvault secrets are set by ARM deployment script var azureServiceTokenProvider = new AzureServiceTokenProvider(); using var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/AMSConfiguration").ConfigureAwait(false); var amsConfigurationList = JsonConvert.DeserializeObject <List <MediaServiceConfigurationModel> >(secret.Value); this.MediaServiceInstanceConfiguration = amsConfigurationList.ToDictionary(i => i.AccountName); secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/StorageAccountConnectionString").ConfigureAwait(false); this.StorageAccountConnectionString = secret.Value; secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/TableStorageAccountConnectionString").ConfigureAwait(false); this.TableStorageAccountConnectionString = secret.Value; foreach (var configuration in this.MediaServiceInstanceConfiguration) { secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/AMSStorageAccountConnectionString-{configuration.Value.AccountName}").ConfigureAwait(false); this.MediaServiceInstanceStorageAccountConnectionStrings.Add(configuration.Value.AccountName, secret.Value); } secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/ClearKeyStreamingKey").ConfigureAwait(false); this.clearKeyStreamingKey = Convert.FromBase64String(secret.Value); }
/// <summary> /// Gets the secret from the Key Vault using the identifier. /// </summary> public async Task <Secret> GetSecret(string identifier) { string secretIdentifier = $"https://{KeyVaultName}.{keyVaultDnsSuffix}/secrets/{identifier}"; try { return(await client.GetSecretAsync(secretIdentifier)); } catch (Exception ex) { throw new Exception($"Unable to retreive secret identifier '{secretIdentifier}' from Key Vault '{KeyVaultName}'. Error: {ex.Message}"); } }
public async Task <X509Certificate2> GetX509Certificate2Async(string keyVaultSecretIdentifier) { var secret = await _keyVaultClient.GetSecretAsync(keyVaultSecretIdentifier).ConfigureAwait(false); if (secret.ContentType != CertificateContentType) { throw new ArgumentException($"This certificate must be of type {CertificateContentType}"); } var certificateBytes = Convert.FromBase64String(secret.Value); return(GetX509Certificate2(certificateBytes)); }
private async Task <string> ReadSecretFromKeyVault() { // ReSharper disable once UnusedVariable var connectionStringInternalUsedByAzureServiceTokenProvider = Environment.GetEnvironmentVariable("AzureServicesAuthConnectionString"); AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); string vaultName = "NoSecrets-Vault01"; string secret = "MySecret"; var secretBundle = await keyVaultClient.GetSecretAsync($"https://{vaultName}.vault.azure.net/secrets/{secret}").ConfigureAwait(false); return(secretBundle.Value); }
protected void Application_Start() { AreaRegistration.RegisterAllAreas(); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(EncryptionHelper.GetToken)); var sec = kv.GetSecretAsync(ConfigReader.GetApplicationString("SecretUri")); //I put a variable in a Utils class to hold the secret for general application use. EncryptionHelper.EncryptSecret = sec.Result.Value; }
public string GetKeyVaultValue(string keyname) { GetAppCert(); var keyvaultclient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken)); var task = new TaskFactory( CancellationToken.None, TaskCreationOptions.None, TaskContinuationOptions.None, TaskScheduler.Default ).StartNew <Task <SecretBundle> >(() => keyvaultclient.GetSecretAsync(keyname)).Unwrap().GetAwaiter().GetResult(); return(task.Value); }
protected void Application_Start() { AreaRegistration.RegisterAllAreas(); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(KeyVaultHelper.GetToken)); var task = kv.GetSecretAsync(WebConfigurationManager.AppSettings["connectionString"]); task.Wait(); KeyVaultHelper.connectionStringSecret = task.Result.Value; }
public async Task <string> GetSecretAsync() { AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); string secretUriSettings = ""; SecretBundle secret; if (!String.IsNullOrEmpty(secretUriSettings)) { secret = await kv.GetSecretAsync(secretUriSettings).ConfigureAwait(false); } else { secret = await kv.GetSecretAsync(secretURI).ConfigureAwait(false); } return(secret.Value); }
public async Task <string> GetSecretAsync(string secretName) { try { var bundle = await KeyVaultClient.GetSecretAsync(VaultAddress, secretName); return(bundle.Value); } catch (KeyVaultErrorException) { return(string.Empty); } }
private async Task <SecretBundle> GetSecret(string secretName) { var builder = new ConfigurationBuilder() .SetBasePath(Directory.GetCurrentDirectory()) .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true); IConfigurationRoot configuration = builder.Build(); var keyvault = configuration.GetConnectionString("Keyvault"); var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); return(await keyVaultClient.GetSecretAsync($"{keyvault}{secretName}").ConfigureAwait(false)); }
static public async Task GetSecret() { AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secret = await keyVaultClient.GetSecretAsync(keyvaultURI) .ConfigureAwait(false); Console.WriteLine(secret.Value); Console.ReadKey(); }
async protected void Application_Start() { AreaRegistration.RegisterAllAreas(); GlobalConfiguration.Configure(WebApiConfig.Register); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Util.GetToken)); var sec = await kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]); Util.EncryptSecret = sec.Value; }
public async Task <string> GetSecret(string keyName) { try { var secret = await keyVaultClient.GetSecretAsync($"{KeyVaultUrl}/secrets/" + keyName).ConfigureAwait(false); return(secret.Value); } catch (Exception) { return(string.Empty); } }
public async Task <string> GetSecretValue(string keyName) { string secret = ""; AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); //slow without ConfigureAwait(false) //keyvault should be keyvault DNS Name var secretBundle = await keyVaultClient.GetSecretAsync(Environment.GetEnvironmentVariable("keyvault") + keyName).ConfigureAwait(false); secret = secretBundle.Value; Console.WriteLine(secret); return(secret); }
public async Task OnGetAsync() { Message = "Your application description page."; int retries = 0; bool retry = false; try { /* The below 4 lines of code shows you how to use AppAuthentication library to fetch secrets from your Key Vault*/ AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secret = await keyVaultClient.GetSecretAsync("https://<yourkvreprohere>.vault.azure.net/secrets/<yourkvreprohere>/secretValue") .ConfigureAwait(false); Message = secret.Value; /* The below do while logic is to handle throttling errors thrown by Azure Key Vault. It shows how to do exponential backoff which is the recommended client side throttling*/ do { long waitTime = Math.Min(getWaitTime(retries), 2000000); secret = await keyVaultClient.GetSecretAsync("https://<yourkvreprohere>.vault.azure.net/secrets/<yourkvreprohere>/secretValue") .ConfigureAwait(false); retry = false; }while (retry && (retries++ < 10)); } /// <exception cref="KeyVaultErrorException"> /// Thrown when the operation returned an invalid status code /// </exception> catch (KeyVaultErrorException keyVaultException) { Message = keyVaultException.Message; if ((int)keyVaultException.Response.StatusCode == 429) { retry = true; } } }
public ActionResult Index() { var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(PiUiUtil.GetTokenForCurrentApplication)); string piStorageAccountName = kv.GetSecretAsync(CloudConfigurationManager.GetSetting("piStorageAccountName_KvUri")).Result.Value; string piStorageAccountSecretKey = kv.GetSecretAsync(CloudConfigurationManager.GetSetting("piStorageAccountSecretKey_KvUri")).Result.Value; string piStorageAccountCameraContainerName = kv.GetSecretAsync(CloudConfigurationManager.GetSetting("piStorageAccountCameraContainerName_KvUri")).Result.Value; string piStorageAccountCameraStillImagesQueueName = kv.GetSecretAsync(CloudConfigurationManager.GetSetting("piStorageAccountCameraStillImagesQueueName_KvUri")).Result.Value; string storageConnection = String.Format("DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1}", piStorageAccountName, piStorageAccountSecretKey); CloudStorageAccount storageAccount = CloudStorageAccount.Parse(storageConnection); CloudQueueClient queueClient = storageAccount.CreateCloudQueueClient(); CloudQueue queue = queueClient.GetQueueReference(piStorageAccountCameraStillImagesQueueName); queue.EncodeMessage = true; // Peek at the next message CloudQueueMessage message = queue.GetMessage(); // Display message. Console.WriteLine(); // Create the blob client. CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient(); // Retrieve reference to a previously created container. CloudBlobContainer container = blobClient.GetContainerReference(piStorageAccountCameraContainerName); // Retrieve reference to a blob ie "picture.jpg". CloudBlockBlob blockBlob = container.GetBlockBlobReference(message.AsString); //------ var newUri = new Uri(blockBlob.Uri.AbsoluteUri); ViewBag.ImageUri = newUri; return(View()); }
protected void Application_Start() { AreaRegistration.RegisterAllAreas(); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); // I put my GetToken method in a Utils class. Change for wherever you placed your method. var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Utils.GetToken)); var sec = kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]).Result.Value; //I put a variable in a Utils class to hold the secret for general application use. Utils.EncryptSecret = sec; }
protected void Application_Start() { AreaRegistration.RegisterAllAreas(); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); // I put my GetToken method in a Utils class. Change for wherever you placed your method. var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Util.GetToken)); var sec = kv.GetSecretsAsync(WebConfigurationManager.AppSettings["VaultUri"]).GetAwaiter().GetResult(); //I put a variable in a Utils class to hold the secret for general application use. Util.EncryptSecret = new List<KeyValuePair<string, string>>(); foreach (var item in sec.Value) { var value = kv.GetSecretAsync(item.Id).GetAwaiter().GetResult().Value; Util.EncryptSecret.Add(new KeyValuePair<string, string>(item.Identifier.Name, value)); } }
public static string GetConnString() { var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(KeyVaultUtil.GetToken)); string conn = kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]).Result.Value; return conn; }
/// <summary> /// Loads all secrets which are delimited by : so that they can be retrieved by the config system /// Since KeyVault does not allow : as delimiters in the share secret name, the actual name is not used as key for configuration. /// The Tag property is used instead /// The tag should always be of the form "ConfigKey"="ParentKey1:Child1:.." /// </summary> /// <param name="token"></param> /// <returns></returns> private async Task LoadAsync(CancellationToken token) { string password; var cert = CertificateUtility.FindCertificateByThumbprint(_storeName, _storeLocation, _certificateThumbprint, _validateCertificate); var certBytes = CertificateUtility.ExportCertificateWithPrivateKey(cert, out password); _assertion = new ClientAssertionCertificate(_appClientId, certBytes, password); Data = new Dictionary<string, string>(); // This returns a list of identifiers which are uris to the secret, you need to use the identifier to get the actual secrets again. var kvClient = new KeyVaultClient(GetTokenAsync); var secretsResponseList = await kvClient.GetSecretsAsync(_vault, MaxSecrets, token); foreach (var secretItem in secretsResponseList.Value ?? new List<SecretItem>()) { //The actual config key is stored in a tag with the Key "ConfigKey" since : is not supported in a shared secret name by KeyVault if (secretItem.Tags != null && secretItem.Tags.ContainsKey(ConfigKey)) { var secret = await kvClient.GetSecretAsync(secretItem.Id, token); Data.Add(secret.Tags[ConfigKey], secret.Value); } } }
private static void HandleCertificateOperations(Options options, AuthenticationContext authContext, AuthenticationResult token) { using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken))) { if (!string.IsNullOrEmpty(options.ResourceGroup)) { if (!string.IsNullOrEmpty(options.Vault)) { var vaultInfo = client.Vaults.Get(options.ResourceGroup, options.Vault); var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob")); var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken)); if (!string.IsNullOrEmpty(options.ExportCert)) { var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.ExportCert).GetAwaiter().GetResult(); var cert = new X509Certificate2(Convert.FromBase64String(secret.Value), new SecureString(), X509KeyStorageFlags.Exportable); File.WriteAllBytes(options.Out, cert.Export(X509ContentType.Pfx)); } if (!string.IsNullOrEmpty(options.Encrypt)) { var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName).GetAwaiter().GetResult(); var cert = new X509Certificate2(Convert.FromBase64String(secret.Value)); byte[] encoded = System.Text.UTF8Encoding.UTF8.GetBytes(options.Encrypt); var content = new ContentInfo(encoded); var env = new EnvelopedCms(content); env.Encrypt(new CmsRecipient(cert)); string encrypted64 = Convert.ToBase64String(env.Encode()); Console.WriteLine("Encrypting: {0}", options.Encrypt); Console.WriteLine("Encrypted Base64 String: {0}", encrypted64); } if (!string.IsNullOrEmpty(options.Decrypt)) { var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName).GetAwaiter().GetResult(); var cert = new X509Certificate2(Convert.FromBase64String(secret.Value)); var encryptedBytes = Convert.FromBase64String(options.Decrypt); var envelope = new EnvelopedCms(); envelope.Decode(encryptedBytes); envelope.Decrypt(new X509Certificate2Collection(cert)); Console.WriteLine("Decrypting: {0}", options.Decrypt); Console.WriteLine("Decrypted String: {0}", Encoding.UTF8.GetString(envelope.ContentInfo.Content)); } if (options.MakeCert) { var cert = Convert.ToBase64String(Certificate.CreateSelfSignCertificatePfx(string.Format("CN={0}", options.CertificateName), DateTime.UtcNow, DateTime.UtcNow.AddYears(2))); var cert1 = new X509Certificate2(Convert.FromBase64String(cert)); var secrets = keyvaultClient.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult(); if (secrets.Value == null || !secrets.Value.Any(s => s.Id == vaultInfo.Vault.Properties.VaultUri + "secrets/" + options.CertificateName)) { Console.WriteLine( JsonConvert.SerializeObject(keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName, cert, null, "application/pkcs12").GetAwaiter().GetResult() , Formatting.Indented)); } } } } } }