Using Azure Key Vault to store connection strings

ASP.NET, PHP, Tutorials

Azure Key Vault offers secure storage for sensitive information like passwords, secrets etc. If you host your PHPRunner or ASPRunner.NET application on Azure, it will makes sense to store your connection strings in Key Vault. In this article we’ll show you how this can be done.

Creating Key Vault in Azure

1. Create an application in Azure. Write down tenantId, clientId and clientSecret values.

2. Logon to Azure and create a subscription. You need to specify subscription name and select a billing account.

More info:
https://learn.microsoft.com/ru-ru/azure/cost-management-billing/manage/create-subscription

3. Go back to portal home and proceed to Key Vaults. Click ‘Create’. Select a subscription, select a Resource group ( or create a new one ). Enter Key Vault name.

4. Now it is the time to assign access permissions. Under the Key Vault you just created proceed to ‘Access control (IAM)’. Add -> Add Role assigment, select ‘Key Vault Certificates Officer’ using search option, click ‘Next’. Select ‘User, group, or service principal’

Click ‘Select members’ search for your application name and select it. . в поисковой строке справа найти свое приложение (не пользолвателя). Next, Review + assign.

Permissions may take a bit of time to be applied but in our situation it worked right away.

5. Create a secret. The secret is the actual object that stores the sensitive information, database password in our case. Select your Key Vault and under Objects -> Secrets -> Generate/Import enter the name of the secret ( “pass” in our case ) and its value.

Now we are ready to use this in our code.

Using Key Vault in PHPRunner

1. Under Style Editor -> Custom Files add a new file named keyvault.php. Paste the code below and use your own values of tenantId, clientId and clientSecret.

<?php
function getSecret($secretName){
	$tenantId = '...';
	$clientId = '...'; 
	$clientSecret = '...';
	$vaultUrl = "https://xkvault.vault.azure.net/";

	$url = "https://login.microsoftonline.com/".$tenantId."/oauth2/token";
	$parameters = array(
		'grant_type' => 'client_credentials',
		'client_id' => $clientId,
		'client_secret' => $clientSecret,
		'resource' => 'https://vault.azure.net'
	);
	$headers = array("Content-Type"=>"application/x-www-form-urlencoded");
	$response = runner_post_request($url, $parameters, $headers);

	$json = runner_json_decode($response["content"]);
	if (!isset($json['access_token'])) {
		throw new Exception("Failed to get access token: " . $response);
	}
	$accessToken = $json['access_token'];

	$url = $vaultUrl . "secrets/".$secretName."?api-version=7.3";

	$headers = array(
		"Authorization"=>"Bearer ".$accessToken,
		"Content-Type"=>"application/json"
	);
	$response = runner_http_request($url, "", "GET", $headers);
	$result = runner_json_decode($response["content"]);
	return $result['value'];
}
?>

2. An example of using Key Vault in your application. We will create a new Server Database Connection and will retrieve database password from Key Vault. In this example we use MySQL database.

include("keyvault.php");
$host="localhost";
$user="root";
$pwd=getSecret("pass");
$port="";
$sys_dbname="cars";

Using Key Vault in ASPRunner.NET

1. Under Style Editor -> Custom Files add a new file named keyvault.cs. Paste the code below and use your own values of tenantId, clientId and clientSecret.

using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web;
using System.Web.Mvc;
using System.Reflection;
using runnerDotNet;
namespace runnerDotNet
{
	public partial class CommonFunctions
	{
		public static XVar getSecret(dynamic secretName)
		{
			dynamic accessToken = null, clientId = null, clientSecret = null, headers = null, json = XVar.Array(), parameters = null, result = XVar.Array(), tenantId = null, url = null, var_response = XVar.Array(), vaultUrl = null;
			tenantId = new XVar("...");
			clientId = new XVar("...");
			clientSecret = new XVar("...");
			vaultUrl = new XVar("https://xkvault.vault.azure.net/");
			url = XVar.Clone(MVCFunctions.Concat("https://login.microsoftonline.com/", tenantId, "/oauth2/token"));
			parameters = XVar.Clone(new XVar("grant_type", "client_credentials", "client_id", clientId, "client_secret", clientSecret, "resource", "https://vault.azure.net"));
			headers = XVar.Clone(new XVar("Content-Type", "application/x-www-form-urlencoded"));
			var_response = XVar.Clone(MVCFunctions.runner_post_request((XVar)(url), (XVar)(parameters), (XVar)(headers)));
			json = XVar.Clone(CommonFunctions.runner_json_decode((XVar)(var_response["content"])));
			if(XVar.Pack(!(XVar)(json.KeyExists("access_token"))))
			{
				new Exception((XVar)(MVCFunctions.Concat("Failed to get access token: ", var_response)));
			}
			accessToken = XVar.Clone(json["access_token"]);
			url = XVar.Clone(MVCFunctions.Concat(vaultUrl, "secrets/", secretName, "?api-version=7.3"));
			headers = XVar.Clone(new XVar("Authorization", MVCFunctions.Concat("Bearer ", accessToken), "Content-Type", "application/json"));
			var_response = XVar.Clone(MVCFunctions.runner_http_request((XVar)(url), new XVar(""), new XVar("GET"), (XVar)(headers)));
			result = XVar.Clone(CommonFunctions.runner_json_decode((XVar)(var_response["content"])));
			return result["value"];
		}
	}
}

2. In BeforeConnect event use the following code:

dynamic pass = CommonFunctions.getSecret("pass");
GlobalVars.ConnectionStrings["conn"] = MVCFunctions.Concat("Server=localhost;Database=cars;User Id=root;Password=",pass);

Using Azure Key Vault to store connection strings

Creating Key Vault in Azure

Using Key Vault in PHPRunner

Using Key Vault in ASPRunner.NET

Leave a Reply

Sign up for the free email newsletter for news about our
database publishing software, tips, and more.

Resources

Company

Creating Key Vault in Azure

Using Key Vault in PHPRunner

Using Key Vault in ASPRunner.NET

Related posts:

Leave a Reply