Azure Key Vault Integration
Overview
Azure Key Vault provides secure storage and management of secrets, keys, and certificates. Integration with .NET applications should use Managed Identity for authentication and follow the extension method pattern for clean configuration.
Extension Method Pattern
Create an extension method in Infrastructure/Extensions/ExtensionKeyVault.cs :
using Azure.Identity; using Azure.Security.KeyVault.Secrets; using Microsoft.Extensions.Configuration;
namespace Infrastructure.Extensions { /// <summary> /// Extension class for configuring Azure Key Vault integration. /// </summary> public static class ExtensionKeyVault { /// <summary> /// Adds Azure Key Vault as a configuration source using Managed Identity. /// </summary> /// <param name="builder">The configuration builder.</param> /// <param name="configuration">The current configuration to read Key Vault settings.</param> /// <returns>The updated configuration builder.</returns> public static IConfigurationBuilder AddAzureKeyVault( this IConfigurationBuilder builder, IConfiguration configuration) { var clientId = Environment.GetEnvironmentVariable("AKS_CLIENT_ID") ?? configuration["AzureKeyVault:AksAgentPoolClientId"]; var keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME") ?? configuration["AzureKeyVault:KeyVaultName"]; var azureKeyVaultUri = string.Format( configuration["AzureKeyVault:Uri"]!, keyVaultName);
if (string.IsNullOrEmpty(azureKeyVaultUri))
{
throw new InvalidOperationException(
"Azure Key Vault URI is not configured");
}
DefaultAzureCredentialOptions tokenOptions = new()
{
ManagedIdentityClientId = clientId
};
SecretClient client = new(
new Uri(azureKeyVaultUri),
new DefaultAzureCredential(tokenOptions)
);
builder.AddAzureKeyVault(client, new KeyVaultSecretManager());
return builder;
}
}
}
Program.cs Configuration
Configure Azure Key Vault in Program.cs before building the configuration:
var builder = WebApplication.CreateBuilder(args);
// Add Azure Key Vault to configuration builder.Configuration.AddAzureKeyVault(builder.Configuration);
// Continue with service configuration...
Required NuGet Packages
-
Azure.Extensions.AspNetCore.Configuration.Secrets
-
Azure.Identity
-
Azure.Security.KeyVault.Secrets
Configuration Settings (appsettings.json)
{ "AzureKeyVault": { "KeyVaultName": "your-keyvault-name", "Uri": "https://{0}.vault.azure.net/", "AksAgentPoolClientId": "your-managed-identity-client-id" } }
Environment Variables
These environment variables can override configuration settings:
-
AKS_CLIENT_ID: The client ID of the Managed Identity (User-Assigned)
-
KEY_VAULT_NAME: The name of the Azure Key Vault
Authentication Methods
Managed Identity (Recommended for Production)
Use Managed Identity when deployed to Azure services (AKS, App Service, Functions):
DefaultAzureCredentialOptions tokenOptions = new() { ManagedIdentityClientId = clientId };
var credential = new DefaultAzureCredential(tokenOptions);
Local Development
For local development, DefaultAzureCredential will automatically use:
-
Environment variables
-
Visual Studio authentication
-
Azure CLI authentication
-
Azure PowerShell authentication
Ensure you're logged in via Azure CLI or Visual Studio.
Secret Naming Convention
Azure Key Vault secret names:
-
Use hyphens instead of colons: ConnectionStrings--DefaultConnection
-
.NET automatically converts hyphens to colons when reading configuration
Best Practices
-
Use Managed Identity for authentication in production environments.
-
Never hardcode secrets or credentials in application code.
-
Use environment-specific Key Vaults (dev, staging, production).
-
Grant least-privilege access to Key Vault (only "Get" and "List" permissions for secrets).
-
Monitor Key Vault access logs for security auditing.
-
Cache secrets appropriately to minimize Key Vault calls.
-
Use Key Vault references in Azure App Service configuration when possible.