Add Azure KeyVault for reading secrets

Author: skoruba

src/Skoruba.IdentityServer4.Admin.Api/Program.cs

@@ -50,6 +50,10 @@ private static IConfiguration GetConfiguration(string[] args)
                 configurationBuilder.AddUserSecrets<Startup>();
             }
 
+            var configuration = configurationBuilder.Build();
+
+            configuration.AddAzureKeyVaultConfiguration(configurationBuilder);
+
             configurationBuilder.AddCommandLine(args);
             configurationBuilder.AddEnvironmentVariables();
 
@@ -60,6 +64,8 @@ public static IHostBuilder CreateHostBuilder(string[] args) =>
             Host.CreateDefaultBuilder(args)
                  .ConfigureAppConfiguration((hostContext, configApp) =>
                  {
+                     var configurationRoot = configApp.Build();
+
                      configApp.AddJsonFile("serilog.json", optional: true, reloadOnChange: true);
 
                      var env = hostContext.HostingEnvironment;
@@ -71,6 +77,8 @@ public static IHostBuilder CreateHostBuilder(string[] args) =>
                          configApp.AddUserSecrets<Startup>();
                      }
 
+                     configurationRoot.AddAzureKeyVaultConfiguration(configApp);
+
                      configApp.AddEnvironmentVariables();
                      configApp.AddCommandLine(args);
                  })

src/Skoruba.IdentityServer4.Admin.Api/appsettings.json

@@ -51,5 +51,13 @@
     },
     "DataProtectionConfiguration": {
         "ProtectKeysWithAzureKeyVault": false
+    },
+    "AzureKeyVaultConfiguration": {
+        "AzureKeyVaultEndpoint": "",
+        "ClientId": "",
+        "ClientSecret": "",
+        "UseClientCredentials": true,
+        "DataProtectionKeyIdentifier": "",
+        "ReadConfigurationFromKeyVault": false
     }
 }

src/Skoruba.IdentityServer4.Admin/Program.cs

@@ -3,13 +3,17 @@
 using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Hosting;
+using Microsoft.Azure.KeyVault;
+using Microsoft.Azure.Services.AppAuthentication;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Configuration.AzureKeyVault;
 using Microsoft.Extensions.Hosting;
 using Serilog;
 using Skoruba.IdentityServer4.Admin.Configuration;
 using Skoruba.IdentityServer4.Admin.EntityFramework.Shared.DbContexts;
 using Skoruba.IdentityServer4.Admin.EntityFramework.Shared.Entities.Identity;
 using Skoruba.IdentityServer4.Admin.Helpers;
+using Skoruba.IdentityServer4.Shared.Configuration.Common;
 using Skoruba.IdentityServer4.Shared.Helpers;
 
 namespace Skoruba.IdentityServer4.Admin
@@ -49,7 +53,7 @@ public static async Task Main(string[] args)
         private static async Task ApplyDbMigrationsWithDataSeedAsync(string[] args, IConfiguration configuration, IHost host)
         {
             var applyDbMigrationWithDataSeedFromProgramArguments = args.Any(x => x == SeedArgs);
-            if (applyDbMigrationWithDataSeedFromProgramArguments) args = args.Except(new[] {SeedArgs}).ToArray();
+            if (applyDbMigrationWithDataSeedFromProgramArguments) args = args.Except(new[] { SeedArgs }).ToArray();
 
             var seedConfiguration = configuration.GetSection(nameof(SeedConfiguration)).Get<SeedConfiguration>();
             var databaseMigrationsConfiguration = configuration.GetSection(nameof(DatabaseMigrationsConfiguration))
@@ -79,6 +83,10 @@ private static IConfiguration GetConfiguration(string[] args)
                 configurationBuilder.AddUserSecrets<Startup>();
             }
 
+            var configuration = configurationBuilder.Build();
+
+            configuration.AddAzureKeyVaultConfiguration(configurationBuilder);
+
             configurationBuilder.AddCommandLine(args);
             configurationBuilder.AddEnvironmentVariables();
 
@@ -89,6 +97,8 @@ public static IHostBuilder CreateHostBuilder(string[] args) =>
             Host.CreateDefaultBuilder(args)
                  .ConfigureAppConfiguration((hostContext, configApp) =>
                  {
+                     var configurationRoot = configApp.Build();
+
                      configApp.AddJsonFile("serilog.json", optional: true, reloadOnChange: true);
                      configApp.AddJsonFile("identitydata.json", optional: true, reloadOnChange: true);
                      configApp.AddJsonFile("identityserverdata.json", optional: true, reloadOnChange: true);
@@ -104,6 +114,8 @@ public static IHostBuilder CreateHostBuilder(string[] args) =>
                          configApp.AddUserSecrets<Startup>();
                      }
 
+                     configurationRoot.AddAzureKeyVaultConfiguration(configApp);
+
                      configApp.AddEnvironmentVariables();
                      configApp.AddCommandLine(args);
                  })

src/Skoruba.IdentityServer4.Admin/appsettings.json

@@ -72,5 +72,14 @@
     },
     "DataProtectionConfiguration": {
         "ProtectKeysWithAzureKeyVault": false
+    },
+
+    "AzureKeyVaultConfiguration": {
+        "AzureKeyVaultEndpoint": "",
+        "ClientId": "",
+        "ClientSecret": "",
+        "UseClientCredentials": true,
+        "DataProtectionKeyIdentifier": "",
+        "ReadConfigurationFromKeyVault": false 
     }
 }

src/Skoruba.IdentityServer4.STS.Identity/Program.cs

@@ -50,6 +50,10 @@ private static IConfiguration GetConfiguration(string[] args)
                 configurationBuilder.AddUserSecrets<Startup>();
             }
 
+            var configuration = configurationBuilder.Build();
+
+            configuration.AddAzureKeyVaultConfiguration(configurationBuilder);
+
             configurationBuilder.AddCommandLine(args);
             configurationBuilder.AddEnvironmentVariables();
 
@@ -60,6 +64,8 @@ public static IHostBuilder CreateHostBuilder(string[] args) =>
             Host.CreateDefaultBuilder(args)
                  .ConfigureAppConfiguration((hostContext, configApp) =>
                  {
+                     var configurationRoot = configApp.Build();
+
                      configApp.AddJsonFile("serilog.json", optional: true, reloadOnChange: true);
 
                      var env = hostContext.HostingEnvironment;
@@ -71,6 +77,8 @@ public static IHostBuilder CreateHostBuilder(string[] args) =>
                          configApp.AddUserSecrets<Startup>();
                      }
 
+                     configurationRoot.AddAzureKeyVaultConfiguration(configApp);
+
                      configApp.AddEnvironmentVariables();
                      configApp.AddCommandLine(args);
                  })

src/Skoruba.IdentityServer4.STS.Identity/appsettings.json

@@ -32,14 +32,6 @@
         "UseSigningCertificateForAzureKeyVault": false,
         "UseValidationCertificateForAzureKeyVault": false
     },
-    "AzureKeyVaultConfiguration": {
-        "AzureKeyVaultEndpoint": "",
-        "ClientId": "",
-        "ClientSecret": "",
-        "UseClientCredentials": true,
-        "IdentityServerCertificateName": "",
-        "DataProtectionKeyIdentifier": ""
-    },
     "RegisterConfiguration": {
         "Enabled": true
     },
@@ -89,5 +81,14 @@
     },
     "DataProtectionConfiguration": {
         "ProtectKeysWithAzureKeyVault": false
+    },
+    "AzureKeyVaultConfiguration": {
+        "AzureKeyVaultEndpoint": "",
+        "ClientId": "",
+        "ClientSecret": "",
+        "UseClientCredentials": true,
+        "IdentityServerCertificateName": "",
+        "DataProtectionKeyIdentifier": "",
+        "ReadConfigurationFromKeyVault": false
     }
 }

src/Skoruba.IdentityServer4.Shared/Configuration/Common/AzureKeyVaultConfiguration.cs

@@ -15,5 +15,7 @@ public class AzureKeyVaultConfiguration
         public string IdentityServerCertificateName { get; set; }
 
         public string DataProtectionKeyIdentifier { get; set; }
+
+        public bool ReadConfigurationFromKeyVault { get; set; }
     }
 }

src/Skoruba.IdentityServer4.Shared/Helpers/StartupHelpers.cs

@@ -5,6 +5,7 @@
 using Microsoft.Azure.Services.AppAuthentication;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Configuration.AzureKeyVault;
 using Microsoft.Extensions.DependencyInjection;
 using SendGrid;
 using Skoruba.IdentityServer4.Shared.Configuration.Common;
@@ -67,5 +68,31 @@ public static void AddDataProtection<TDbContext>(this IServiceCollection service
                 }
             }
         }
+
+        public static void AddAzureKeyVaultConfiguration(this IConfiguration configuration, IConfigurationBuilder configurationBuilder)
+        {
+            if (configuration.GetSection(nameof(AzureKeyVaultConfiguration)).Exists())
+            {
+                var azureKeyVaultConfiguration = configuration.GetSection(nameof(AzureKeyVaultConfiguration)).Get<AzureKeyVaultConfiguration>();
+
+                if (azureKeyVaultConfiguration.ReadConfigurationFromKeyVault)
+                {
+                    if (azureKeyVaultConfiguration.UseClientCredentials)
+                    {
+                        configurationBuilder.AddAzureKeyVault(azureKeyVaultConfiguration.AzureKeyVaultEndpoint,
+                            azureKeyVaultConfiguration.ClientId, azureKeyVaultConfiguration.ClientSecret);
+                    }
+                    else
+                    {
+                        var keyVaultClient = new KeyVaultClient(
+                            new KeyVaultClient.AuthenticationCallback(new AzureServiceTokenProvider()
+                                .KeyVaultTokenCallback));
+
+                        configurationBuilder.AddAzureKeyVault(azureKeyVaultConfiguration.AzureKeyVaultEndpoint,
+                            keyVaultClient, new DefaultKeyVaultSecretManager());
+                    }
+                }
+            }
+        }
     }
 }