-
Notifications
You must be signed in to change notification settings - Fork 0
AzureKeyVault Adapter
The adapter introduces support for accessing Azure Key Vault secrets (keys and certificates aren't supported currently) using Managed Identity or using ClientId
and ClientSecret
.
The adapter can be referenced using the following values:
NAME | VALUE |
---|---|
NAME | AzureKeyVault |
TYPE_NAME | CoherentSolutions.Extensions.Configuration.AnyWhere.AzureKeyVault.AnyWhereAzureKeyVaultConfigurationSourceAdapter |
ASSEMBLY_NAME | CoherentSolutions.Extensions.Configuration.AnyWhere.AzureKeyVault |
The adapter accepts the following arguments:
NAME | TYPE | CONSTRAINTS | OPTIONAL |
---|---|---|---|
VAULT | string | - | false |
SECRETS | string | - | false |
CLIENT_ID | string | - | true |
CLIENT_SECRET | string | - | true |
The VAULT argument is expected to be set to Azure Key Vault DNS name. However adapter treats VAULT value as opaque string and passes it directly to Azure Key Vault communication API (i.e. KeyValueClient).
The SECRETS argument is represented in form of "secrets string". "secrets string" consists from one or more semicolon (;
) separated "secret string":
<secret-string>;<secret-string>;<secret-string>
The "secret string" has the following format:
<secret-name>/<?secret-alias>:<?secret-version>
where
-
<secret-name>
- defines the name of secret to read. -
<secret-alias>
(optional) - defines the configuration key to store secret's value. -
<secret-version>
(optional) - defines the version of secret to read.
// Example (read 'version-one' of 'secret-one' and alias it as 'ConnectionString')
SECRETS=secret-one/ConnectionString:version-one
// Example (read 'version-one' of 'secret-one')
SECRETS=secret-one:version-one
// Example (read latest version of 'secret-one' and alias it as 'ConnectionString')
SECRETS=secret-one/ConnectionString
// Example (read latest version of 'secret-one')
SECRETS=secret-one
"secret string" parser uses so-called control characters (:
, /
) to separate segments. The parsing is done from right to left i.e. the first segment identified is <secret-version>
, then <secret-alias>
and then <secret-name>
.
// Example (reads 'secret/version' of 'secret-one')
SECRETS=secret-one:secret/version
// Example (reads 'secret-version' of 'secret-one' and alias it as 'secret:alias')
SECRETS=secret-one/secret:alias:secret-version
// Example (reads 'secret-version' of 'secret/one' and alias it as 'secret:alias')
SECRETS=secret/one/secret:alias:secret-version
In cases when segment should have control character it can be escaped using `
(backtick). There are three escape sequences:
- The
`/
(backtick - slash) results in/
(slash) - The
`:
(backtick - colon) results in:
(colon) - The
``
(double backtick) results in`
(backtick)
// Example (reads 'secret-name:secret-name')
SECRETS=secret-name`:secret-name
// Example (reads 'secret-name/secret-name')
SECRETS=secret-name`/secret-name
// Example (reads 'secret-name`secret-name')
SECRETS=secret-name``secret-name
// Example (reads 'secret-name`secret-name')
SECRETS=secret-name`secret-name
// Example (reads 'secret-name`/secret-name')
SECRETS=secret-name```/secret-name
All leading and trailing whitespace characters are trimmed from the result value.
The CLIENT_ID and CLIENT_SECRET arguments are expected to be set in pair and to be used to obtain an access token for Azure Key Vault (in case when both or one of the arguments is missed then adapter would automatically switch to Management Identity flow).
(c) 2020 Coherent Solutions Inc.
GENERAL
GETTING STARTED
ADAPTERS
SAMPLES