Edit

Share via

Reload secrets and certificates from Key Vault automatically

Azure App Configuration and Azure Key Vault are complementary services used side by side in many applications. App Configuration helps you use the services together by creating keys in your App Configuration store that reference secrets or certificates stored in Key Vault. Because Key Vault stores the public and private key pair of a certificate as a secret, your application can retrieve any certificate as a secret from Key Vault.

When secrets and certificates are rotated in Key Vault, your application should pick up the latest values. This article shows you how to automate the process of reloading Key Vault secrets and certificates without restarting your application.

Prerequisites

Overview

As a good security practice, secrets and certificates should be rotated periodically. For more information, see Automate the rotation of a secret for resources that use one set of authentication credentials and Tutorial: Configure certificate autorotation in Key Vault. After secrets and certificates are rotated in Key Vault, there are two ways to load these values without restarting your application:

When you use the first option, you need to update the value of the sentinel key in App Configuration whenever you rotate secrets and certificates in Key Vault. This approach works well when you want to force an immediate reload of secrets and certificates in your application. However, when secrets and certificates are rotated automatically in Key Vault, your application can experience errors if you don't update the value of the sentinel key in time.

The second option provides a way to automate this process. You can configure your application to reload secrets and certificates from Key Vault within your acceptable delay from the time of rotation. This article walks you through the second option.

Add an automatically rotating certificate to Key Vault

To add an automatically rotating certificate to a key vault, follow the steps in Tutorial: Configure certificate autorotation in Key Vault.

  • Use the key vault that you create in the tutorial listed in Prerequisites.
  • Name the certificate ExampleCertificate.

Add a reference to the Key Vault certificate in App Configuration

  1. Go to the Azure portal, select All resources, and then select the App Configuration store that you use in the tutorial listed in Prerequisites.

  2. Select Configuration explorer.

  3. Select Create > Key Vault reference, and then enter the following values:

    • For Key: Enter TestApp:Settings:KeyVaultCertificate.
    • For Label: Leave the value blank.
    • For Subscription, Resource group, and Key vault: Enter the values you use when you create the key vault in the tutorial listed in Prerequisites.
    • For Secret: Select the secret named ExampleCertificate that you create in the previous section.
    • For Secret Version: Select Latest version.

Note

If you reference a specific version, reloading the secret or certificate from Key Vault always returns the same value.

Update code to reload Key Vault secrets and certificates

Go to the folder that contains the ASP.NET Core web app project that you update in the tutorial listed in Prerequisites.

Open Program.cs, and replace the call to the AddAzureAppConfiguration method with the call in the following code. The updated call uses the SetSecretRefreshInterval method to set up a refresh interval for your Key Vault certificate. With this change, your application reloads the public-private key pair for ExampleCertificate every 12 hours.

string endpoint = builder.Configuration.GetValue<string>("Endpoints:AppConfiguration");

builder.Configuration.AddAzureAppConfiguration(options =>
{
    options.Connect(new Uri(endpoint), new DefaultAzureCredential());

    options.ConfigureKeyVault(keyVaultOptions =>
    {
        keyVaultOptions.SetCredential(new DefaultAzureCredential());
        keyVaultOptions.SetSecretRefreshInterval("TestApp:Settings:KeyVaultCertificate", TimeSpan.FromHours(12));
    });
});

The first argument in the SetSecretRefreshInterval method is the key of the Key Vault reference in App Configuration. This argument is optional. If you omit it, the specified refresh interval is applied to all secrets and certificates that don't have individual refresh intervals.

The second argument is the refresh interval. Its value specifies the frequency at which to reload your secrets and certificates from Key Vault, regardless of any changes to their values in Key Vault or App Configuration. If you want to reload secrets and certificates when their values change in App Configuration, you can use the ConfigureRefresh method to monitor them. For more information, see Use dynamic configuration in an ASP.NET Core app.

Choose the refresh interval according to your acceptable delay after your secrets and certificates are updated in Key Vault. It's also important to consider the Key Vault service limits to avoid throttling.

Clean up resources

If you don't want to continue using the resources created in this article, delete the resource group you created here to avoid charges.

Important

Deleting a resource group is irreversible. The resource group and all the resources in it are permanently deleted. Ensure that you don't accidentally delete the wrong resource group or resources. If you created the resources for this article inside a resource group that contains other resources you want to keep, delete each resource individually from its respective pane instead of deleting the resource group.

  1. Sign in to the Azure portal, and select Resource groups.
  2. In the Filter by name box, enter the name of your resource group.
  3. In the result list, select the resource group name to see an overview.
  4. Select Delete resource group.
  5. You're asked to confirm the deletion of the resource group. Enter the name of your resource group to confirm, and select Delete.

After a few moments, the resource group and all its resources are deleted.

Next step

Use managed identities to streamline access to App Configuration and Key Vault