Question ASP.NET Core and User Secrets in Production

[Paul Hermans]

When you develop an application with ASP.NET Core you often need to store secrets (like api keys for example).

Right now it is common practice to put secrets in a configuration file like appsettings.json.

But Microsoft says the following in de docs: Safe storage of app secrets in development in ASP.NET Core

"secrets should be made available in the production environment through a controlled means like environment variables, Azure Key Vault, etc"

Is there any way we can manage these "environment variables" via Plesk?

 

[dano]

I have just set this up. Here's what I did:

1. Created my key vault in Azure and put some secrets in it.
2. Restrict access to the key vault to know IP addresses, assigned access to my local IP and the IP address of the plesk server
3. Then created a service principal in AAD and created a key.
4. Then assigned it permissions on the key vault using the following powershell script:
   Login-AzureRmAccount
   Set-AzureRmContext -SubscriptionId "<sub id>"
   Set-AzureRmKeyVaultAccessPolicy -VaultName '<key vault name>' -ServicePrincipalName '<sp id>' -PermissionsToSecrets all -ResourceGroupName '<resource group>'
5. Finally access the key vault in your code using your service principal app ID and key.

I would have preferred not to access using the service principal key since this has to be present in the code. I couldn't find any secret storage in plesk for storing the key. I tried to do it using a cert since azure key vault allows access using a cert that's associated with the service principal instead of the key however plesk and azure key vault use certs in different formats, azure key vault uses pfx whereas plesk expects crt. One can be converted to the other using open ssl but you would have to include this in your code as well and I didn't want to go that far. But since we are restricting access to known IPs i think this is secure enough but I am open to other suggestions.