Skip to content

AzureKeyVault Adapter

Oleg Karasik edited this page Jul 22, 2019 · 12 revisions

The adapter introduces support for accessing Azure Key Vault secrets (keys and certificates aren't supported currently) using Managed Identity or using ClientId and ClientSecret.

Integration

The adapter can be referenced using the following values:

NAME VALUE
NAME AzureKeyVault
TYPE_NAME CoherentSolutions.Extensions.Configuration.AnyWhere.AzureKeyVault.AnyWhereAzureKeyVaultConfigurationSourceAdapter
ASSEMBLY_NAME CoherentSolutions.Extensions.Configuration.AnyWhere.AzureKeyVault

Configuration

The adapter accepts the following arguments:

NAME TYPE CONSTRAINTS OPTIONAL
VAULT string - false
SECRETS string - false
CLIENT_ID string - true
CLIENT_SECRET string - true

VAULT

The VAULT argument is expected to be set to Azure Key Vault DNS name. However adapter treats VAULT value as opaque string and passes it directly to Azure Key Vault communication API (i.e. KeyValueClient).

SECRETS

The SECRETS argument is represented in form of "secrets string". "secrets string" consists from one or more semicolon (;) separated "secret string":

<secret-string>;<secret-string>;<secret-string>

The "secret string" has the following format:

<secret-name>/<?secret-alias>:<?secret-version>

where

  • <secret-name> - defines the name of secret to read.
  • <secret-alias> (optional) - defines the configuration key to store secret's value.
  • <secret-version> (optional) - defines the version of secret to read.
// Example (read 'version-one' of 'secret-one' and alias it as 'ConnectionString')
SECRETS=secret-one/ConnectionString:version-one

// Example (read 'version-one' of 'secret-one')
SECRETS=secret-one:version-one

// Example (read latest version of 'secret-one' and alias it as 'ConnectionString')
SECRETS=secret-one/ConnectionString

// Example (read latest version of 'secret-one')
SECRETS=secret-one

"secret string" parser uses so-called control characters (:, /) to separate segments. The parsing is done from right to left i.e. the first segment identified is <secret-version>, then <secret-alias> and then <secret-name>.

// Example (reads 'secret/version' of 'secret-one')
SECRETS=secret-one:secret/version

// Example (reads 'secret-version' of 'secret-one' and alias it as 'secret:alias')
SECRETS=secret-one/secret:alias:secret-version

// Example (reads 'secret-version' of 'secret/one' and alias it as 'secret:alias')
SECRETS=secret/one/secret:alias:secret-version

In cases when segment should have control character it can be escaped using ` (backtick). There are three escape sequences:

  • The `/ (backtick - slash) results in / (slash)
  • The `: (backtick - colon) results in : (colon)
  • The `` (double backtick) results in ` (backtick)
// Example (reads 'secret-name:secret-name')
SECRETS=secret-name`:secret-name

// Example (reads 'secret-name/secret-name')
SECRETS=secret-name`/secret-name

// Example (reads 'secret-name`secret-name')
SECRETS=secret-name``secret-name

// Example (reads 'secret-name`secret-name')
SECRETS=secret-name`secret-name

// Example (reads 'secret-name`/secret-name')
SECRETS=secret-name```/secret-name

All leading and trailing whitespace characters are trimmed from the result value.

CLIENT_ID and CLIENT_SECRET

The CLIENT_ID and CLIENT_SECRET arguments are expected to be set in pair and to be used to obtain an access token for Azure Key Vault (in case when both or one of the arguments is missed then adapter would automatically switch to Management Identity flow).