Skip to content

Commit

Permalink
docs: publish v2.0.0 feature docs (arcus-azure#429)
Browse files Browse the repository at this point in the history
  • Loading branch information
@stijnmoreels
stijnmoreels authored May 7, 2024
1 parent 143aaa8 commit f5e02f2
Show file tree
Hide file tree
Showing 21 changed files with 1,804 additions and 0 deletions.
139 changes: 139 additions & 0 deletions ...ned_docs/version-v2.0.0/02-Guides/add-secret-store-with-keyvault-integration.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
---
title: "Add secret store with Azure Key Vault integration"
layout: default
---

# Add secret store with Azure Key Vault integration
The Arcus secret store is a alternative on the general usage of storing secrets in the application configuration (`IConfiguration`). It is important in application development to differentiate between configuration data and sensitive information like secrets. The Arcus secret store is extremely flexible and can be extended to support several secret providers to retrieve its secrets - both built-in as well as custom.

The secret store can be added during any part of de application lifetime. Once added, you can benefit from the safe and convenient way of secret retrieval that is the Arcus secret store.

This user guide will cover how the Arcus secret store can be added to an existing API application in order to retrieve secrets from Azure Key Vault.

## Terminology
To fully understand the power of the secret store, some terminology has to be understood:
- **Secret**: piece of sensitive information like access keys or connection strings; anything that is private and cannot be made public
- **Secret store**: central place where the application retrieve its secrets.
- **Secret provider**: implementation that provides secrets to the secret store (ex.: Azure Key Vault secret provider), many secret providers can be configured within a secret store.

## Sample application
In this user guide, a fictive API application will be used to add the secret store to. We will be working with two major parts.

The initial place where the application will be started:
```csharp
public class Program
{
public static void Main(string[] args)
{
WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
builder.Configuration.AddJsonFile("appsettings.json");

WebApplication app = builder.Build();
app.UseRouting();
app.Run();
}
}
```

And the API controller where a secret is being used:
```csharp
[ApiController]
public class OrderController : ControllerBase
{
private readonly IConfiguration _configuration;

public OrderController(IConfiguration configuration)
{
_configuration = configuration;
}

[HttpPost]
public async Task Post([FromBody] Order order)
{
string connectionString = _configuration["Azure:ServiceBus:ConnectionString"];

// Post Order to Azure Service Bus...
}
}
```

> Note that in this example, we use the application configuration to retrieve the Azure Service Bus connection string to post the incoming order to Azure Service Bus and not the Arcus secret store.
## Use Arcus secret store
For us to move away from the application configuration, we need to make use of the Arcus secret store. The following step instructions will guide you in this process:

### 1. Install Arcus security
For this example, we will be using Azure Key Vault as our single secret provider in the secret store, so we can install this directly:
```shell
PM > Install-Package Arcus.Security.Providers.AzureKeyVault
```

> Note that this package depends on the `Arcus.Security.Core` package, where the secret store exists.
### 2. Add Arcus secret store to application
Once the package is installed, add the secret store via extensions to the API application:
* 2.1 Use the `.ConfigureSecretStore` to setup the secret store with necessary secret providers
* 2.2 Use the the `.AddAzureKeyVaultWithManagedIdentity` to add the Azure Key Vault secret provider to the secret store

```csharp
using Arcus.Security.Core.Caching.Configuration;

public class Program
{
public static void Main(string[] args)
{
WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
builder.Configuration.AddJsonFile("appsettings.json");

builder.Host.ConfigureSecretStore((configuration, stores) =>
{
string vaultUri = configuration["Azure:KeyVault:VaultUri"];
stores.AddAzureKeyVaultWithManagedIdentity(vaultUri, CacheConfiguration.Default);
});

WebApplication app = builder.Build();
app.UseRouting();
app.Run();
}
}
```

> Note that during the configuration of the secret store, you will be able to access the application configuration; in this case it is used to retrieve the URI where the Azure Key Vault is located.
### 3. Inject the Arcus secret store in application
Now that the Arcus secret store is added and configured to the application, the application can use it to retrieve it secrets. The Arcus secret store is accessible throughout the application via the `ISecretProvider` interface - combining all the configured secret providers.

In the `OrderController`, inject the `ISecretProvider` interface via the constructor. The `ISecretProvider` will allow you to retrieve the Azure Service Bus connection string from the secret store.
```csharp
using Arcus.Security.Core;

[ApiController]
public class OrderController : ControllerBase
{
private readonly ISecretProvider _secretProvider;

public OrderController(ISecretProvider secretProvider)
{
_secretProvider = secretProvider;
}

[HttpPost]
public async Task Post([FromBody] Order order)
{
string connectionString = await _secretProvider.GetRawSecretAsync("Azure_ServiceBus_ConnectionString");

// Post Order to Azure Service Bus...
}
}
```

## Conclusion
In this user guide, you've seen how the Arcus secret store can be added to an existing application to retrieve secrets. The Arcus secret store is a very wide topic and can be configured with many different options. See [this documentation page](../03-Features/secret-store/index.md) to learn more about the Arcus secret store.

## Further reading
- [Arcus secret store documentation](../03-Features/secret-store/index.md)
- [Azure Key Vault secret provider](../03-Features/secret-store/provider/key-vault.md)
- [Create your own secret provider](../03-Features/secret-store/create-new-secret-provider.md)
- [Introducing Arcus secret store](https://www.codit.eu/blog/introducing-secret-store-net-core/)
- [The power of the Arcus secret store](https://www.codit.eu/blog/the-power-of-the-arcus-secret-store/)
- [Role-based authorization by low-level customization of the Arcus secret store](https://www.codit.eu/blog/role-based-authorization-low-level-customization-arcus-secret-store/)
1 change: 1 addition & 0 deletions docs/versioned_docs/version-v2.0.0/03-Features/secret-store/_category_.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
label: 'Secret store'
110 changes: 110 additions & 0 deletions docs/versioned_docs/version-v2.0.0/03-Features/secret-store/azure-functions.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
---
title: "Azure Functions support"
layout: default
---

# Using secret store within Azure Functions
This separate documentation section explains how the Arcus secret store can be used within Azure Functions environments (both in-process and isolated).

## Using secret store within in-process Azure Functions
To more easily configure the secret store, we provided a dedicated package that builds on top of the `IFunctionsHostBuilder`:

## Installation
For this feature, the following package needs to be installed:

```shell
PM > Install-Package Arcus.Security.AzureFunctions
```

### Usage
The secret stores are configured during the initial application build-up in the `Startup.cs`:
```csharp
using Microsoft.Azure.Functions.Extensions.DependencyInjection;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;

[assembly: FunctionsStartup(typeof(Startup))]

namespace MyHttpAzureFunction
{
public class Startup : FunctionsStartup
{
public override void Configure(IFunctionsHostBuilder builder)
{
builder.ConfigureSecretStore((FunctionsHostBuilderContext context, IConfiguration config, SecretStoreBuilder stores) =>
{
var keyVaultName = config["KeyVault_Name"];
stores.AddEnvironmentVariables()
.AddAzureKeyVaultWithManagedIdentity($"https://{keyVaultName}.vault.azure.net");
})
}
}
}
```

Once the secret providers are defined, the `ISecretProvider` can be used as any other registered service:
```csharp
using Arcus.Security.Core;

namespace Application
{
public class MyHttpTrigger
{
public MyHttpTrigger(ISecretProvider secretProvider)
{
}

[FunctionName("MyHttpTrigger")]
public async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
ILogger log)
{
return new OkObjectResult("Response from function with injected dependencies.");
}
}
}
```

## Using secret store within isolated Azure Functions
Since isolated Azure Functions are built with the default `HostBuilder`, the general secret store packages can be used in this environment. No need to install the dedicated `Arcus.Security.AzureFunctions` package.

### Usage
Using the available extensions on the `HostBuilder` or `IServiceCollection`, the secret store can be added, just like a Web API or console application.

```csharp
var host = new HostBuilder()
.ConfigureFunctionsWorkerDefaults(builder =>
{

})
.ConfigureSecretStore((context, config, stores) =>
{
builder.AddEnvironmentVariables()
.AddAzureKeyVaultWithManagedIdentity($"https://{keyVaultName}.vault.azure.net");
})
.Build();
```

Once the secret providers are defined, the `ISecretProvider` can be used as any other registered service:
```csharp
using Arcus.Security.Core;

namespace Application
{
public class MyHttpTrigger
{
public MyHttpTrigger(ISecretProvider secretProvider)
{
}

[Function("MyHttpTrigger")]
public HttpResponseData Run(
[HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequestData req,
ILogger log)
{
var response = req.CreateResponse(HttpStatusCode.OK);
return response;
}
}
}
```
Loading

0 comments on commit f5e02f2

Please sign in to comment.