Safe Your App Secrets In Development in .NET Core
If you are new in development maybe you curious about how to manage your sensitive data, as connections strings, API keys. Never store passwords or other sensitive data in source code. In this post we are going to focus on our secrets in the development environment, in the next post I’ll show you how to manage your production secrets with Azure Key Vault.
Environment variables
Environment variables are used to store your app secrets in code or local configuration files. Environment variables change the values of all previously specified configuration sources.
Consider an ASP.NET Core web app in which Individual User Accounts security is to enable as shown when you are in the creation of your project:
A default database connection string is included in the project’s appsetting.json file with the key DefaultConnection. This string is for LocalDB, which runs in user mode and doesn’t require a password. During app deployment, the key value can be overridden with an environment variable’s value. The environment variable may store the complete connection string with your credentials.
For that case we got you covered with an awesome tool to get started saving our app secrets in development, the secret manager.
Secret Manager
The Secret Manager tool stores sensitive data during the development of an ASP.NET Core project. In this context, a piece of sensitive data is an app secret. App secrets are stored in a separate location from the project tree. The app secrets are associated with a specific project or shared across several projects.
Enable Secret Storage
The secret manager tool operates on a project-specific configuration setting stored in your user profile. To use user secrets, run the following command in the project directory:
dotnet user-secrets init
This command adds a UserSecretId to your project file. Now to set a secret is pretty easy you just need to execute the following command:
It should look like this:
In a JSON Structure should look like this:
To access your secrets you should complete the following:
1. Secrets Configuration Source
Add the user secrets configuration source explicitly by calling AddUserSecrets in ConfigureAppConfiguration as shown in the following example:
2. Read the secret via the Configuration API
If the user secrets configuration source is registered, the .NET Configuration API can read the secrets. Constructor injection can be used to gain access to the .NET Configuration API. Take as example the following using the Unicorn:ServiceApiKey key:
There are other ways to get and use your app secrets in your application, we are not going to focus on all of them, I wanted to show you the easier way to set your app secrets in the development environment.
The next time, I’ll show how to safe your secrets for the Production Environment. Take care!
