Securing with Secrets
Compliant Development Process
The course is part of this learning path
Configuration is an important aspect of determining an application’s behavior. Settings files often include sensitive information like passwords and API keys. In this course, we will look at how to protect that sensitive information while the app is being developed and when it is in production.
Azure’s App Configuration Service allows you to manage access to settings data and we will see how to use it within a .Net application. We will look at using Azure Key Vault in conjunction with App Configuration Service, and how to access Azure Key Vault directly from your application and from apps running in a container within a Kubernetes cluster.
Next, we look at the idea of shifting left security testing within your development process, and how we can automate security testing as part of implementing a compliant development process. Much of this will involve using extensions from the Azure marketplace within your DevOps build pipeline.
This course contains numerous demonstrations from the Azure platform so that you can get a first-hand look at the topics we will be covering. If you have any feedback relating to this course, please contact us at firstname.lastname@example.org.
- Learn about app configuration
- Run and deploy apps with the Azure App Configuration service
- Use Azure Key Vault to store secrets and certificates
- Access Key Vault directly from your apps, including those running within a Kubernetes cluster
- Create a compliant development process by integrating code analyzers, branch policies, quality gates, open-source library scanning, and automated penetration into a build pipeline
- Intermediate-level developers, DevOps engineers, and product managers
- Anyone interested in learning how to implement secure app configurations and development pipelines
To get the most out of this course, you should have some pre-existing knowledge of software development and of using Microsoft Azure.
Having said that let's start by looking at how you would implement basic app settings with the Azure App Configuration Service. I have here a basic ASP.Net Core 3.1 web app that connects to an Azure SQL database and retrieves products. There are 2 versions of the database, a development one and a production one. You can see the connection string here in appsettings.json. I'll run the app to see the two datasets. Here we have the development data with dummy products.
Now I'll go back to appSettings and change the connection to the production database. Okay, now we've seen the 2 datasets, let's look at moving the connection string to App Configuration. Log in to the Azure portal and create a new App Configuration resource. Give it a name, select a resource group, location, and choose a pricing tier. After the app configuration has been deployed click on configuration explorer under operations and create a new key-value. I'll call the key HowAppDb and paste the database connection from appSettings into the value field. I'm gonna leave the Label field blank for the moment, but enter the connection string into the content-type field. Content-type has no intrinsic meaning but is a user-defined field that can indicate what type of data the value is.
Before we head back to the app, we'll have a quick look at Access keys under settings. The connection string value is what we'll use to connect to the App Configuration service. Okay, back at the app we need to add a NuGet package to use the App Configuration functionality. Search for Microsoft.Azure.AppConfiguration.AspNetCore and add it to the project. Next, open the project file by right-clicking on it and choosing "Edit project file" to see the .csproj XML file. Right-click again on the project in solution explorer and select manage user secrets. An empty secrets.json file is opened and a UserSecretsId XML tag is added to the property group node of the project file. The idea with the secrets file is that it is not part of the project and is not automatically stored in the project's repo when you commit your changes. It would kind of defeat the whole purpose of secrets if they were easily accessible. The secrets id GUID points to a file location within the user profile folder. This can be seen by opening the file's location.
Now we have to add a link to the Azure App Configuration service. In secrets.json add a connectionStrings:AppConfig key and go back to the Azure portal and get the connection string from Access keys under Settings and paste it in as the value. I'll remove the database connection string from appSettings as this is no longer necessary. Next, I'll need to modify the application code to use app settings from Azure. First, I need to modify CreateHostBuilder in program.cs by referencing Azure App Configuration using the connection string stored in secrets.json under the key ConnectionStrings:AppConfig.
Now that we are getting the app settings from Azure I need to change the database connection initialization in startup.cs. This just involves deleting the GetConnectionString method off configuration and replacing it with an index reference to the database connection string key from Azure App Configuration. Right, now we've made the changes, let's run the app again. There, we've got the development data showing, and I'll go back to Azure and change the connection to ProdDb and there we go now connecting to production data.
Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.