Exercise 3: Migrating to Azure Key Vault

In this exercise, attendees will learn how to migrate web application to utilize Azure Key Vault rather than storing valuable credentials (such as connection strings) in application configuration files.

Task 1: Create an Azure Key Vault secret

  1. From the extracted GitHub directory, open the Hands-on labWebAppInsuranceAPI_KeyVaultInsuranceAPI.slnsolution.

Note: Be sure you open the correct solution (there are two).

  1. Switch to your Azure Portal.
  2. Select Key Vaults, then select your Azure Key Vault.
  3. Select Secrets, then select +Generate/Import.
  4. For the Upload Options, select Manual.
  5. For the Name, enter InsuranceAPI.
  6. For the Value, copy the connection string information from the InsuranceAPI solution web.config file in Exercise 2.
  7. Select Create.
  8. Select Secrets.
  9. Select InsuranceAPI.
  10. Select the current version.
  11. Copy and record the secret identifier URL for later use:

Task 2: Create an Azure Active Directory application

  1. In the Azure Portal, select Azure Active Directory, then select App Registrations.
  2. Select + New application registration.
  3. For the name, type AzureKeyVaultTest.
  4. For the Sign-on URL, type http://localhost:12345.
  5. Select Create.
  6. Select the new AzureKeyVaultTest application.
  7. Copy and record the Application ID for later use.
  8. Select Settings.
  9. Select Keys.
  10. For the description, enter InsuranceAPI.
  11. For the Expires, select In 1 year.
  12. Select Save.
  13. Copy and record the key value for later use.

Task 3: Assign Azure Active Directory application permissions

  1. Switch back to Azure Portal and select your Azure Key Vault.
  2. Select Access Policies.
  3. Select + Add New.
  4. Select Select principal, type AzureKeyVaultTest.
  5. Select the application service principal, select Select.
  6. Select the Secret permissions drop-down, check the Get and List permissions.
  7. Select OK.
  8. Select Save.

Task 4: Install or verify NuGet Package

  1. Switch to Visual Studio.
  2. In the menu, select View->Other Windows->Package Manager Console.
  3. In the new window that opens, run the following commands:a. Install-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatformb. Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.16.204221202c. Install-Package Microsoft.Azure.KeyVault

Note: These already exist in the project but are provided as a reference.

  1. From Solution Explorer, double-click the web.config file to open it.Notice the appSettings section has some token values:
  2. Replace the ClientId and ClientSecret with the values from Task 2.
  3. Replace the SecretUri with the Azure Key Vault secret key Uri from Task 1.
  4. Save the file.

Task 5: Test the solution

  1. Open the web.config, and comment out or delete the connectionString from the file at line 78.
  2. Open the global.asax.cs file, and place a break point at line 28.

Note: This code makes a call to get an accessToken as the application you set up above, then make a call to the Azure Key Vault using that accessToken.

  1. Run the solution, and press F5.You should see that you execute a call to Azure Key Vault and get back the secret (which in this case is the connection string to the Azure Database).
  2. Press F5, and navigate to http://localhost:portno/api/Users, you should get an error. Because you encrypted the column in the previous exercise, EntityFramework is not able to retrieve the value. You would need to add the AzureKeyVaultProvider for Entity Framework reference to the project and then register the provider code in order for .NET to handle the encrypted column and add the “Column Encryption Setting=Enabled” to the connection string.