//GetSettingFromKeyVault
public static string GetValueFomKeyVault(string Key)
{
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));
string keyVaultURL = GetValue(Key);
var connStr = (kv.GetSecretAsync(keyVaultURL)).GetAwaiter().GetResult().Value;
string s = connStr.ToString();
return s;
}
static void KeyVaultSecretsDemo()
{
// Use Key for authorization AccessToken
var keyVaultClient = new KeyVaultClient(GetAccessToken, new HttpClient());
// Use Certificate for authorization AccessToken
// var keyVaultClient = new KeyVaultClient(GetAccessCertificateToken, new HttpClient());
var keyVaultAddress = ConfigurationManager.AppSettings["VaultUrl"];
// Get connection string without password
var connectionString = keyVaultClient.GetSecretAsync(keyVaultAddress, "ConnectionStringsWilco").GetAwaiter().GetResult();
var builder = new SqlConnectionStringBuilder(connectionString.Value);
// Get password
var password = keyVaultClient.GetSecretAsync(keyVaultAddress, "SqlPasswordWilco").GetAwaiter().GetResult();
// Convert password to SecureString. 'password.Value' object still keeps it in plain text. Hopefuly this is the only reference.
// The reason to keep password out of connection string is to minimize number of it's instances in managed heap.
var securePassword = new SecureString();
foreach (char c in password.Value)
{
securePassword.AppendChar(c);
}
securePassword.MakeReadOnly();
// Allow GC to collect it
password = null;
// Keep connection in SqlCredential. When connection goes to pool or paged to disk credentials are not exposed.
var credentials = new SqlCredential(builder.UserID, securePassword);
builder.UserID = string.Empty; // Need to clen up user id as SqlCredential won't attach to sql connection
// Put connection string and credentials in cache. We don't want to fetch connection string each time from KV.
// Remove callback policy is designed to dispose objects. In case of SecureString it should be packed with '0'oz.
MemoryCache.Default.Add("ConnectionStringsWilco", builder.ConnectionString, new CacheItemPolicy { RemovedCallback = DisposePolicyRemovedCallback });
MemoryCache.Default.Add("SqlCredentialsWilco", credentials, new CacheItemPolicy { RemovedCallback = DisposePolicyRemovedCallback });
BusinessOperation();
Console.ReadLine();
}
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configure(WebApiConfig.Register);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
try
{
// I put my GetToken method in a Utils class. Change for wherever you placed your method.
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(AuthHelper.GetToken));
var cosmosConnectionString = kv.GetSecretAsync(WebConfigurationManager.AppSettings["raven-cosmosdb-connectionstring"]).GetAwaiter().GetResult();
var cosmosKey = kv.GetSecretAsync(WebConfigurationManager.AppSettings["raven-cosmosdb-key"]).GetAwaiter().GetResult();
//I put a variable in a Utils class to hold the secret for general application use.
AuthHelper.CosmosConnectionString = cosmosConnectionString.Value;
AuthHelper.CosmosKey = cosmosKey.Value;
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
public async Task <X509Certificate2> GetCertificateAsync(string keyVaultAddress, string certificateName)
{
var tokenProvider = new AzureServiceTokenProvider();
using (var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(tokenProvider.KeyVaultTokenCallback)))
{
var secretBundle = await client.GetSecretAsync(keyVaultAddress, certificateName);
var privateKeyBytes = Convert.FromBase64String(secretBundle.Value);
var cert = new X509Certificate2(privateKeyBytes, (string)null, X509KeyStorageFlags.MachineKeySet);
return(cert);
}
}
private async Task <SearchIndexClient> CreateSearchIndexClientAsync(string indexName)
{
string searchServiceName = ConfigurationManager.AppSettings["ServiceName"];
//string queryApiKey = ConfigurationManager.AppSettings["SearchApiKey"];
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(SimpleAzureSearch.Utils.TokenObtainer.GetToken));
var queryApiKeySecret = await kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]);
string queryApiKey = queryApiKeySecret.Value;
SearchIndexClient indexClient = new SearchIndexClient(searchServiceName, indexName, new SearchCredentials(queryApiKey));
return(indexClient);
}
private async Task <X509Certificate2> GetCertificateAsync()
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync("https://evoting-keys.vault.azure.net/secrets/certificate-base64/d471eebb69b94aae967136e6b2d37b82").ConfigureAwait(false);
var pfxBase64 = secret.Value;
var bytes = Convert.FromBase64String(pfxBase64);
var coll = new X509Certificate2Collection();
coll.Import(bytes, "QEk5$s2PrRcZrj4xHb", X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet);
return(coll[0]);
}
private async Task GitSetupAsync()
{
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
SecretBundle secretBundle = await keyVaultClient.GetSecretAsync(_secretUri).ConfigureAwait(false);
var productInformation = new ProductHeaderValue("MLGitHubLabeler");
_client = new GitHubClient(productInformation)
{
Credentials = new Credentials(secretBundle.Value)
};
}
public static async Task <string> GetSecret(string KeyVaultName, string secretName)
{
//string token = KeyVaultHelper.getToken();
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
//For Microsoft Azure Government Key Vaults, use the following URL: *.vault.usgovcloudapi.net
//var secret = await keyVaultClient.GetSecretAsync($"https://{KeyVaultName}.vault.usgovcloudapi.net/secrets/{secretName}");
var secret = await keyVaultClient.GetSecretAsync($"https://{KeyVaultName}.vault.azure.net/secrets/{secretName}");
return(secret.Value);
}
public async Task <string> GetSecret(string key)
{
string url = "https://abootkakv.vault.azure.net/secrets/";
url = url + key;
// Create KeyVaultClient with vault credentials
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAzureKeyVaultAccessToken));
// Get a SAS token for our storage from Key Vault
var sasToken = await kv.GetSecretAsync(url);
return(sasToken.Value);
}
public void Configuration(IAppBuilder app)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(async(authority, resource, scope) =>
await azureServiceTokenProvider.GetAccessTokenAsync(resource));
var secret = keyVaultClient.GetSecretAsync("https://veracitydevdaydemo.vault.azure.net/",
"Veracity1--ClientSecret").Result;
var subscriptionKey = keyVaultClient
.GetSecretAsync("https://veracitydevdaydemo.vault.azure.net/", "Veracity--SubscriptionKey").Result;
app.UseCookieAuthentication(new CookieAuthenticationOptions {
CookieName = "a.c"
}); //set auth cookie
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); //set default auth type
//configure veracity auth
app.UseVeracityAuthentication(new TokenProviderConfiguration
{
ClientSecret = secret.Value,
SubscriptionKey = subscriptionKey.Value
}) //Add Azure Ad B2C authentication and access token cache
.UseTokenCache(CacheFactoryFunc); //add access token cache and set cache strategy
}
static void Main(string[] args)
{
var secretUri = "https://intellipatvault.vault.azure.net/secrets/ConnectionString";
//KeyVaultClient client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));
//var secret = client.GetSecretAsync(secretUri).ConfigureAwait(false).GetAwaiter().GetResult();
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var client1 = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret1 = client1.GetSecretAsync(secretUri).ConfigureAwait(false).GetAwaiter().GetResult();
Console.WriteLine(secret1.Value);
//GetAccessToken().GetAwaiter().GetResult();
}
private async Task <SecretBundle> GetDBHost(KeyVaultClient vaultClient)
{
Console.WriteLine("Get Host Secret");
try {
return(await vaultClient.GetSecretAsync("https://polyportdemo.vault.azure.net/secrets/cosmosDBHostname/bbdd4312f4ec4cd0ba8c380991a81a61")
.ConfigureAwait(false));
}
catch (KeyVaultErrorException keyVaultException)
{
Console.WriteLine(keyVaultException.Message);
return(null);
}
}
public static async Task <string> GetKeyVaultSecret(string KeyVaultClientId, string KeyVaultClientSecret, string keyVaultSecret)
{
KeyVaultClient keyClient = new KeyVaultClient(async(authority, resource, scope) =>
{
var adCredential = new ClientCredential(KeyVaultClientId, KeyVaultClientSecret);
var authenticationContext = new AuthenticationContext(authority, null);
return((await authenticationContext.AcquireTokenAsync(resource, adCredential)).AccessToken);
});
var secret = await keyClient.GetSecretAsync("https://biztalktoazurepoc.vault.azure.net/" + "secrets/" + keyVaultSecret);
return(secret.Value);
}
public async Task <string> GetSecretAsync(string secretName)
{
if (string.IsNullOrEmpty(secretName))
{
throw new ArgumentNullException("secretName");
}
string fixedSecretName = FixSecretName(secretName);
var secret = await _keyVaultClient.GetSecretAsync(_keyVaultUrl, fixedSecretName).ConfigureAwait(false);
return(secret.Value);
}
private async Task <X509Certificate2> GetCertificateAsync(string identitifier, KeyVaultClient keyVaultClient)
{
var certificateVersionBundle = await keyVaultClient.GetCertificateAsync(identitifier);
var certificatePrivateKeySecretBundle =
await keyVaultClient.GetSecretAsync(certificateVersionBundle.SecretIdentifier.Identifier);
var privateKeyBytes = Convert.FromBase64String(certificatePrivateKeySecretBundle.Value);
var certificateWithPrivateKey =
new X509Certificate2(privateKeyBytes, (string)null, X509KeyStorageFlags.MachineKeySet);
return(certificateWithPrivateKey);
}
public static string GetKeyVaultSecretValue(string ExtCertKey, TraceWriter log)
{
// This is the part where I grab the secret.
var azureServiceTokenProvider = new AzureServiceTokenProvider();
using (var keyClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)))
{
string keyVaultSecretUri = string.Format("https://{0}.vault.azure.net/secrets/{1}/", Helpers.GetEnvironmentVariable("KeyVaultName"), ExtCertKey);
string secretvalue = keyClient.GetSecretAsync(keyVaultSecretUri).Result.Value;
log.Info("Get the value from Key Vault: " + keyVaultSecretUri);
return(secretvalue);
}
}
/// <summary>
/// Load configuration from environment properties and keyvault
/// </summary>
/// <returns>Task of async operation</returns>
public async Task LoadConfigurationAsync()
{
// this value is set by ARM deployment script
this.FrontDoorHostName = Environment.GetEnvironmentVariable(this.FrontDoorHostNameKeyName);
if (this.FrontDoorHostName == null)
{
throw new Exception($"Function config does not have {this.FrontDoorHostNameKeyName} value");
}
// All keyvault secrets are set by ARM deployment script
var azureServiceTokenProvider = new AzureServiceTokenProvider();
using var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/AMSConfiguration").ConfigureAwait(false);
var amsConfigurationList = JsonConvert.DeserializeObject <List <MediaServiceConfigurationModel> >(secret.Value);
this.MediaServiceInstanceConfiguration = amsConfigurationList.ToDictionary(i => i.AccountName);
secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/StorageAccountConnectionString").ConfigureAwait(false);
this.StorageAccountConnectionString = secret.Value;
secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/TableStorageAccountConnectionString").ConfigureAwait(false);
this.TableStorageAccountConnectionString = secret.Value;
foreach (var configuration in this.MediaServiceInstanceConfiguration)
{
secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/AMSStorageAccountConnectionString-{configuration.Value.AccountName}").ConfigureAwait(false);
this.MediaServiceInstanceStorageAccountConnectionStrings.Add(configuration.Value.AccountName, secret.Value);
}
secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/ClearKeyStreamingKey").ConfigureAwait(false);
this.clearKeyStreamingKey = Convert.FromBase64String(secret.Value);
}
/// <summary>
/// Gets the secret from the Key Vault using the identifier.
/// </summary>
public async Task <Secret> GetSecret(string identifier)
{
string secretIdentifier = $"https://{KeyVaultName}.{keyVaultDnsSuffix}/secrets/{identifier}";
try
{
return(await client.GetSecretAsync(secretIdentifier));
}
catch (Exception ex)
{
throw new Exception($"Unable to retreive secret identifier '{secretIdentifier}' from Key Vault '{KeyVaultName}'. Error: {ex.Message}");
}
}
public async Task <X509Certificate2> GetX509Certificate2Async(string keyVaultSecretIdentifier)
{
var secret = await _keyVaultClient.GetSecretAsync(keyVaultSecretIdentifier).ConfigureAwait(false);
if (secret.ContentType != CertificateContentType)
{
throw new ArgumentException($"This certificate must be of type {CertificateContentType}");
}
var certificateBytes = Convert.FromBase64String(secret.Value);
return(GetX509Certificate2(certificateBytes));
}
private async Task <string> ReadSecretFromKeyVault()
{
// ReSharper disable once UnusedVariable
var connectionStringInternalUsedByAzureServiceTokenProvider = Environment.GetEnvironmentVariable("AzureServicesAuthConnectionString");
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
string vaultName = "NoSecrets-Vault01";
string secret = "MySecret";
var secretBundle = await keyVaultClient.GetSecretAsync($"https://{vaultName}.vault.azure.net/secrets/{secret}").ConfigureAwait(false);
return(secretBundle.Value);
}
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(EncryptionHelper.GetToken));
var sec = kv.GetSecretAsync(ConfigReader.GetApplicationString("SecretUri"));
//I put a variable in a Utils class to hold the secret for general application use.
EncryptionHelper.EncryptSecret = sec.Result.Value;
}
public string GetKeyVaultValue(string keyname)
{
GetAppCert();
var keyvaultclient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));
var task = new TaskFactory(
CancellationToken.None,
TaskCreationOptions.None,
TaskContinuationOptions.None,
TaskScheduler.Default
).StartNew <Task <SecretBundle> >(() => keyvaultclient.GetSecretAsync(keyname)).Unwrap().GetAwaiter().GetResult();
return(task.Value);
}
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(KeyVaultHelper.GetToken));
var task = kv.GetSecretAsync(WebConfigurationManager.AppSettings["connectionString"]);
task.Wait();
KeyVaultHelper.connectionStringSecret = task.Result.Value;
}
public async Task <string> GetSecretAsync()
{
AzureServiceTokenProvider azureServiceTokenProvider =
new AzureServiceTokenProvider();
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
string secretUriSettings = "";
SecretBundle secret;
if (!String.IsNullOrEmpty(secretUriSettings))
{
secret = await kv.GetSecretAsync(secretUriSettings).ConfigureAwait(false);
}
else
{
secret = await kv.GetSecretAsync(secretURI).ConfigureAwait(false);
}
return(secret.Value);
}
public async Task <string> GetSecretAsync(string secretName)
{
try
{
var bundle = await KeyVaultClient.GetSecretAsync(VaultAddress, secretName);
return(bundle.Value);
}
catch (KeyVaultErrorException)
{
return(string.Empty);
}
}
private async Task <SecretBundle> GetSecret(string secretName)
{
var builder = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true);
IConfigurationRoot configuration = builder.Build();
var keyvault = configuration.GetConnectionString("Keyvault");
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
return(await keyVaultClient.GetSecretAsync($"{keyvault}{secretName}").ConfigureAwait(false));
}
static public async Task GetSecret()
{
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(keyvaultURI)
.ConfigureAwait(false);
Console.WriteLine(secret.Value);
Console.ReadKey();
}
async protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configure(WebApiConfig.Register);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Util.GetToken));
var sec = await kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]);
Util.EncryptSecret = sec.Value;
}
public async Task <string> GetSecret(string keyName)
{
try
{
var secret = await keyVaultClient.GetSecretAsync($"{KeyVaultUrl}/secrets/" + keyName).ConfigureAwait(false);
return(secret.Value);
}
catch (Exception)
{
return(string.Empty);
}
}
public async Task <string> GetSecretValue(string keyName)
{
string secret = "";
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
//slow without ConfigureAwait(false)
//keyvault should be keyvault DNS Name
var secretBundle = await keyVaultClient.GetSecretAsync(Environment.GetEnvironmentVariable("keyvault") + keyName).ConfigureAwait(false);
secret = secretBundle.Value;
Console.WriteLine(secret);
return(secret);
}
public async Task OnGetAsync()
{
Message = "Your application description page.";
int retries = 0;
bool retry = false;
try
{
/* The below 4 lines of code shows you how to use AppAuthentication library to fetch secrets from your Key Vault*/
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync("https://<yourkvreprohere>.vault.azure.net/secrets/<yourkvreprohere>/secretValue")
.ConfigureAwait(false);
Message = secret.Value;
/* The below do while logic is to handle throttling errors thrown by Azure Key Vault. It shows how to do exponential backoff which is the recommended client side throttling*/
do
{
long waitTime = Math.Min(getWaitTime(retries), 2000000);
secret = await keyVaultClient.GetSecretAsync("https://<yourkvreprohere>.vault.azure.net/secrets/<yourkvreprohere>/secretValue")
.ConfigureAwait(false);
retry = false;
}while (retry && (retries++ < 10));
}
/// <exception cref="KeyVaultErrorException">
/// Thrown when the operation returned an invalid status code
/// </exception>
catch (KeyVaultErrorException keyVaultException)
{
Message = keyVaultException.Message;
if ((int)keyVaultException.Response.StatusCode == 429)
{
retry = true;
}
}
}
public ActionResult Index()
{
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(PiUiUtil.GetTokenForCurrentApplication));
string piStorageAccountName = kv.GetSecretAsync(CloudConfigurationManager.GetSetting("piStorageAccountName_KvUri")).Result.Value;
string piStorageAccountSecretKey = kv.GetSecretAsync(CloudConfigurationManager.GetSetting("piStorageAccountSecretKey_KvUri")).Result.Value;
string piStorageAccountCameraContainerName = kv.GetSecretAsync(CloudConfigurationManager.GetSetting("piStorageAccountCameraContainerName_KvUri")).Result.Value;
string piStorageAccountCameraStillImagesQueueName = kv.GetSecretAsync(CloudConfigurationManager.GetSetting("piStorageAccountCameraStillImagesQueueName_KvUri")).Result.Value;
string storageConnection = String.Format("DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1}", piStorageAccountName, piStorageAccountSecretKey);
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(storageConnection);
CloudQueueClient queueClient = storageAccount.CreateCloudQueueClient();
CloudQueue queue = queueClient.GetQueueReference(piStorageAccountCameraStillImagesQueueName);
queue.EncodeMessage = true;
// Peek at the next message
CloudQueueMessage message = queue.GetMessage();
// Display message.
Console.WriteLine();
// Create the blob client.
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
// Retrieve reference to a previously created container.
CloudBlobContainer container = blobClient.GetContainerReference(piStorageAccountCameraContainerName);
// Retrieve reference to a blob ie "picture.jpg".
CloudBlockBlob blockBlob = container.GetBlockBlobReference(message.AsString);
//------
var newUri = new Uri(blockBlob.Uri.AbsoluteUri);
ViewBag.ImageUri = newUri;
return(View());
}
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
// I put my GetToken method in a Utils class. Change for wherever you placed your method.
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Utils.GetToken));
var sec = kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]).Result.Value;
//I put a variable in a Utils class to hold the secret for general application use.
Utils.EncryptSecret = sec;
}
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
// I put my GetToken method in a Utils class. Change for wherever you placed your method.
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Util.GetToken));
var sec = kv.GetSecretsAsync(WebConfigurationManager.AppSettings["VaultUri"]).GetAwaiter().GetResult();
//I put a variable in a Utils class to hold the secret for general application use.
Util.EncryptSecret = new List<KeyValuePair<string, string>>();
foreach (var item in sec.Value)
{
var value = kv.GetSecretAsync(item.Id).GetAwaiter().GetResult().Value;
Util.EncryptSecret.Add(new KeyValuePair<string, string>(item.Identifier.Name, value));
}
}
public static string GetConnString()
{
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(KeyVaultUtil.GetToken));
string conn = kv.GetSecretAsync(WebConfigurationManager.AppSettings["SecretUri"]).Result.Value;
return conn;
}
/// <summary>
/// Loads all secrets which are delimited by : so that they can be retrieved by the config system
/// Since KeyVault does not allow : as delimiters in the share secret name, the actual name is not used as key for configuration.
/// The Tag property is used instead
/// The tag should always be of the form "ConfigKey"="ParentKey1:Child1:.."
/// </summary>
/// <param name="token"></param>
/// <returns></returns>
private async Task LoadAsync(CancellationToken token)
{
string password;
var cert = CertificateUtility.FindCertificateByThumbprint(_storeName, _storeLocation, _certificateThumbprint, _validateCertificate);
var certBytes = CertificateUtility.ExportCertificateWithPrivateKey(cert, out password);
_assertion = new ClientAssertionCertificate(_appClientId, certBytes, password);
Data = new Dictionary<string, string>();
// This returns a list of identifiers which are uris to the secret, you need to use the identifier to get the actual secrets again.
var kvClient = new KeyVaultClient(GetTokenAsync);
var secretsResponseList = await kvClient.GetSecretsAsync(_vault, MaxSecrets, token);
foreach (var secretItem in secretsResponseList.Value ?? new List<SecretItem>())
{
//The actual config key is stored in a tag with the Key "ConfigKey" since : is not supported in a shared secret name by KeyVault
if (secretItem.Tags != null && secretItem.Tags.ContainsKey(ConfigKey))
{
var secret = await kvClient.GetSecretAsync(secretItem.Id, token);
Data.Add(secret.Tags[ConfigKey], secret.Value);
}
}
}
private static void HandleCertificateOperations(Options options, AuthenticationContext authContext, AuthenticationResult token)
{
using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken)))
{
if (!string.IsNullOrEmpty(options.ResourceGroup))
{
if (!string.IsNullOrEmpty(options.Vault))
{
var vaultInfo = client.Vaults.Get(options.ResourceGroup, options.Vault);
var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob"));
var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken));
if (!string.IsNullOrEmpty(options.ExportCert))
{
var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.ExportCert).GetAwaiter().GetResult();
var cert = new X509Certificate2(Convert.FromBase64String(secret.Value), new SecureString(), X509KeyStorageFlags.Exportable);
File.WriteAllBytes(options.Out, cert.Export(X509ContentType.Pfx));
}
if (!string.IsNullOrEmpty(options.Encrypt))
{
var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName).GetAwaiter().GetResult();
var cert = new X509Certificate2(Convert.FromBase64String(secret.Value));
byte[] encoded = System.Text.UTF8Encoding.UTF8.GetBytes(options.Encrypt);
var content = new ContentInfo(encoded);
var env = new EnvelopedCms(content);
env.Encrypt(new CmsRecipient(cert));
string encrypted64 = Convert.ToBase64String(env.Encode());
Console.WriteLine("Encrypting: {0}", options.Encrypt);
Console.WriteLine("Encrypted Base64 String: {0}", encrypted64);
}
if (!string.IsNullOrEmpty(options.Decrypt))
{
var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName).GetAwaiter().GetResult();
var cert = new X509Certificate2(Convert.FromBase64String(secret.Value));
var encryptedBytes = Convert.FromBase64String(options.Decrypt);
var envelope = new EnvelopedCms();
envelope.Decode(encryptedBytes);
envelope.Decrypt(new X509Certificate2Collection(cert));
Console.WriteLine("Decrypting: {0}", options.Decrypt);
Console.WriteLine("Decrypted String: {0}", Encoding.UTF8.GetString(envelope.ContentInfo.Content));
}
if (options.MakeCert)
{
var cert = Convert.ToBase64String(Certificate.CreateSelfSignCertificatePfx(string.Format("CN={0}", options.CertificateName), DateTime.UtcNow, DateTime.UtcNow.AddYears(2)));
var cert1 = new X509Certificate2(Convert.FromBase64String(cert));
var secrets = keyvaultClient.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();
if (secrets.Value == null || !secrets.Value.Any(s => s.Id == vaultInfo.Vault.Properties.VaultUri + "secrets/" + options.CertificateName))
{
Console.WriteLine(
JsonConvert.SerializeObject(keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName, cert, null, "application/pkcs12").GetAwaiter().GetResult()
, Formatting.Indented));
}
}
}
}
}
}
