-
It feels as though the documentation could be a lot clearer on how to securely use connection strings registered in the AppHost in downstream components. Ideally, I'd like to put my connection string in a secret in an Azure Key Vault instance and have everything automatically pull from that as downstream clients are initialized, but it's just not working as I'd expect and the lack of guidance in the documentation leaves me frustrated. Here, I'm simply trying to pull the Cosmos DB connection string out of a Key Vault secret called "connectionstrings-cosmosdb". I have the following packages installed in my AppHost project: <PackageReference Include="Aspire.Azure.Security.KeyVault" Version="8.0.0-preview.3.24105.21" />
<PackageReference Include="Aspire.Hosting" Version="8.0.0-preview.3.24105.21" />
<PackageReference Include="Aspire.Hosting.Azure" Version="8.0.0-preview.3.24105.21" />
<PackageReference Include="Aspire.Microsoft.Azure.Cosmos" Version="8.0.0-preview.3.24105.21" /> In my AppHost project in Program.cs, I have the following: var builder = DistributedApplication.CreateBuilder(args);
var cache = builder.AddRedis("cache");
var keyVault = builder.AddAzureKeyVault("secrets");
var cosmosdb = builder.AddAzureCosmosDB("cosmosdb");
builder.AddProject<Projects.MyEdventureLabWeb>("webfrontend")
.WithReference(cache)
.WithReference(cosmosdb)
.WithReference(keyVault);
builder.Build().Run(); I'm not using Microsoft.Extensions.Configuration, so my appsettings.json in AppHost only lists the connection strings - the Key Vault url as "secrets" and the Key Vault reference to the secret in that vault as "cosmosdb": {
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning",
"Aspire.Hosting.Dcp": "Warning"
}
},
"ConnectionStrings": {
"secrets": "VaultUri=https://<myvault>.vault.azure.net/",
"cosmosdb": "@Microsoft.KeyVault(SecretUri=https://<myvault>.vault.azure.net/secrets/connectionstrings-cosmosdb/)"
}
} As I understand it, this is all I need at the AppHost level, so moving onto my other consuming project. Among others not relevant to this inquiry, I have the following packages installed: <PackageReference Include="Aspire.Azure.Security.KeyVault" Version="8.0.0-preview.3.24105.21" />
<PackageReference Include="Aspire.Microsoft.Azure.Cosmos" Version="8.0.0-preview.3.24105.21" />
<PackageReference Include="Aspire.StackExchange.Redis.OutputCaching" Version="8.0.0-preview.3.24105.21" /> My project's Program.cs starts with the following: var builder = WebApplication.CreateBuilder(args);
builder.AddServiceDefaults();
builder.AddRedisOutputCache("cache");
builder.AddAzureKeyVaultSecrets("secrets");
builder.AddAzureCosmosDB("cosmosdb"); In theory, all this should work. When I launch my program, I experience an exception though:
Now this is odd, because the secret I'm storing in the Key Vault has the form: What am I doing wrong here? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
There's no support for pushing or pulling secrets into or from key vault from the apphost, at least not yet. {
"cosmosdb": "@Microsoft.KeyVault(SecretUri=https://<myvault>.vault.azure.net/secrets/connectionstrings-cosmosdb/)"
} What component supports this syntax? Where did you find it?
Assuming you have already created the secrets with the right naming convention in keyvault, then you should be able to get this working by using the keyvault configuration provider. Aspire component read connection information from IConfiguration so what you need to happen in is:
AppHost var builder = DistributedApplication.CreateBuilder(args);
var cache = builder.AddRedis("cache");
var keyVault = builder.AddAzureKeyVault("secrets");
builder.AddAzureCosmosDB("cosmosdb");
builder.AddProject<Projects.MyEdventureLabWeb>("webfrontend")
.WithReference(cache)
.WithReference(keyVault);
builder.Build().Run(); Your application is reading connection strings from keyvault so you don't need to do WithReference to cosmos directly in the apphost. var builder = WebApplication.CreateBuilder(args);
// Load secrets from configuration.
builder.Configuration.AddKeyVaultSecrets("keyvault");
builder.AddServiceDefaults();
builder.AddRedisOutputCache("cache");
builder.AddAzureCosmosDB("cosmosdb"); |
Beta Was this translation helpful? Give feedback.
-
Ah, Copilot led me astray. I asked it to source the documentation it was pulling from and it was apparently making it up out of thin air again. Is WithReference only necessary when the AppHost is able to directly pull the connection string itself? I'd assumed it was always required if you were registering the component downstream in the app. I think I follow what you're saying - there's no Aspire way of reading secrets from the Key Vault today. Instead, I should be using the Azure.Extensions.AspNetCore.Configuration.Secrets package and registering it during DI so it can pull the Key Vault secrets itself? builder.Configuration.AddAzureKeyVault(new Uri("https://<vaultName>.vault.azure.net/"),
new DefaultAzureCredential());
builder.Services.AddSingleton(new SendGridClient(builder.Configuration.GetConnectionString("sendgrid")); ...where the appsettings.json now supports the syntax required by that extension: {
"ConnectionStrings": {
"sendgrid": "@AzureKeyVault(connectionstrings-sendgrid)"
} I use SendGrid here, but since I'm pulling the secrets myself, I could just as easily substitute in the Cosmos connection string as well? |
Beta Was this translation helpful? Give feedback.
There's no support for pushing or pulling secrets into or from key vault from the apphost, at least not yet.
What component supports …