my connection string in user secret
No problem at local
but is publish and upload in server error
ArgumentNullException: Value cannot be null. (Parameter 'connectionString')
user secrets is only for development and not intended for production.It doesn't encrypt the stored secrets and stored in a JSON configuration file in the user profile directory.
For production , usually you can use JSON file(appsettings.json/appsettings.{Environment}.json), environment variables, and Azure Key Vault(which is recommended), please read below article for more details about configuration providers in asp.net core :
Configuration in ASP.NET Core
It seems the connectionStrings section is not yet configured at production machine. So you must store connection strings into Web.config file at production machine.
Connection Strings and Configuration Files
Besides that, you can protect the configuration by encrypt it using protected configuration.
Encrypting Configuration Information Using Protected Configuration
User secrets used for development security and it doesn't transfer/publish with your app (to GitHub or to IIS), they are stored in your local profile. If you are looking for securing your credentials & sensitive data the better way is to use Azure Key Vault (see Manage User Secrets)
Related
I have an ASP.NET Core app that I deploy in a containerized manner to Azure Kubernetes Service (AKS) and when running just a single replica of the app - it is functional and works as expected.
However, when I run multiple replicas - I run into am error - “Unable to protect the message.State” from the OIDC provider.
Upon further research I have figured out that using ASP.NET Core Data Protection as depicted here is the solution -
https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-5.0#persisting-keys-when-hosting-in-a-docker-container
However - the above link does not expand upon the usage pattern of it while storing the key in Azure Key Vault. Assuming I have protected my keys in AKV how do I actually get to use it in my app? Is there sample or guidance on this aspect?
First of all I would recommend that the same client instance (With AddOpenIDConnect(...) is the same that also handles the callback from your Identity Provider (/signin-oidc). The state parameter that it sets when it first redirects you to the identity provider must match the returned response (for security reasons).
To make sure that issued cookies in the users browser is valid all the time, you need to make sure:
All client instances uses the same data protection encryption key
The key is the same during redeployment.
You can for example store this key in Azure Key Vault, SQL-Server or somewhere else.
btw, I did a blog post about the Data Protection API here and how you could store the key-ring in AKV as well.
I want to access the Key Vault from my Service Fabric application via Managed Service Identity (MSI). I have enabled MSI on the virtual machine scale set in the Azure Portal and given it access to my Key Vault resource. This works like a charm up in the cloud. However, I am having problems with my local develop environment.
As far as I understand, I can grant myself access to the Key Vault and run az login in Azure CLI. Alas, this doesn't work when running the application in a local Service Fabric cluster.
I am using .net core 2.1 in service fabric and getting below mentioned exception.
Azure.Identity.AuthenticationFailedException: DefaultAzureCredential failed to retrieve a token from the included credentials.
EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
SharedTokenCacheCredential authentication failed: Persistence check failed. Inspect inner exception for details
Visual Studio Token provider can't be accessed at C:\Users\Default\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json
VisualStudioCodeCredential authentication failed: A specified logon session does not exist. It may already have been terminated.
Services are likely running under the built-in 'NetworkService' account, which cannot access the CLI for credentials because it has run in your user session.
Try creating machine level environment variables to access the vault:
Create a service principal with a password. Follow steps here to create a service principal and grant it permissions to the Key Vault.
Set an environment variable named AzureServicesAuthConnectionString to RunAs=App;AppId=AppId;TenantId=TenantId;AppKey=Secret. You need to
replace AppId, TenantId, and Secret with actual values from step #1.
Run the application in your local development environment. No code change is required. AzureServiceTokenProvider will use this
environment variable and use the service principal to authenticate to
Azure AD.
Don't forget to restart, so the environment variables are added to all processes.
As the document shows about DefaultAzureCredential, Environment and Managed Identity are deployed service authentication. Azure CLI needs to login with your Azure account via the az login command.
So, Environment and Managed Identity are appropriate for you. For example, Using the environment needs to set Environment Variables first, see here. Then you could create a secret client using the DefaultAzureCredential.
// Create a secret client using the DefaultAzureCredential
var client = new SecretClient(new Uri("https://myvault.azure.vaults.net/"), new DefaultAzureCredential());
I was able to get this working with with local service fabric development by opening Services.msc on my local development machine and configuring the 'Service Fabric Host Service' to run as my local user account rather than the default local service.
Only then would DefaultAzureCredential work for picking up the Az CLI login.
I have an Azure File storage folder and I would like to have a simple HTTP Basic User/Pass authentication on it and be able to list the directory contents of that directory upon successful authentication.
I know that there are Shared Access Signatures but that's a different security approach.
This is so simple scenario but yet I cannot find a solution to it...
What I want to have is just a simple (bucket) folder that is going to be available over HTTP Basic Auth through the browser externally.
Does Azure File Storage support basic authentication?
At this time, Active Directory-based authentication and access control lists (ACLs) are not supported.
Azure Files supports identity-based authorization over SMB (Server Message Block) through Azure Active Directory Domain Services. Your domain-joined Windows virtual machines (VMs) can access Azure file shares using Azure AD credentials.
How can I connect to SQL database hosted on Microsoft Azure without having credentials in plain text in my .asp files or config files in VBScript?
I want to have the database connection string stored in Azure Key Vault, and have the web app access the key vault to get the connection string and then connect to the database.
I have looked at a lot of Microsoft documentations but they are all in C#. My web app is all in VBScript and .asp files and I don't want to spend the time rebuilding the whole web app to ASP.NET/.aspx
Thank you
You don't need Azure Key Vault in this case.
What you can do is to create a new App Setting in App Settings of Azure Web App, and make its value to be the connection string of your database. This will create an environment variable and you can access it with VBScript. This post shows how to access an environment variable with VBScript.
I found a way!
If I want to use the environment variables set under App Settings:
Set objWSH = CreateObject("WScript.Shell")
Set objUserVariables = objWSH.Environment("Process")
Response.Write(objUserVariables("APPSETTING_testAppSet"))
the prefix APPSETTING_ will be different if the variable is stored under Connection String
One other way I was able to use is to store the DB connection string in the Azure Key Vault. And then use OAuth access token to access Azure Key Vault. In this method, you have to send a POST request to Azure with ClientID and ClientSecret in the request body, then you will get an access token from the HTTP response. After that, send a GET request to the Key Vault endpoint with the access token in the request header. Then you will get the value of the key vault secret from the HTTP response.
Another way to do it is to use the MSI_ENDPOINT and MSI_SECRET and send the HTTP request to get the access token. And with that access token, you can access a key vault secret as well (you have to make sure that the Key Vault Access Policy is setup correctly).
I wondering how to encrypt information in appsettings.json in asp.net core 2.0. I am looking for a way to encrypt connectionstring and other credentials or sensitive informations that can be store in appsettings.json in a production environment. Users secrets is only recommand for development purpose so they don't fit that requirements. Also i can't use Azure Key vault.
While not encrypted, you can use environment variables to store your sensitive information instead of including it within your appsettings.json file. This allows you to use user secrets in development and environment variables in production
If you're using Azure it will be under Application Settings.