SECRET MANAGER In ASP NET Core | Getting Started With ASP.NET Core Series

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

most applications that we build today rely on some secrets to perform certain operations these secrets include api keys database connection strings third-party service credentials etc in asp.net these application secrets are stored as part of the application configuration the appsettings.config or a web.config file however one of the main recommendations of secure coding practices is to never store application secrets inside your source code so how do you solve this problem of not having the application secrets as part of your configuration files but still have a seamless local development experience when developing asp.net applications let's see exactly how to do this in this video hello everyone my name is rahul and welcome back to my youtube channel if you're new here please make sure to hit the subscribe button i make videos around.net cloud and devops i am sure you are interested in one of these let's head off to my console and create a new dotnet application i'll use the.net cli and create new and specify the react keyword this will create a react single page application template with asp.net core if you're new to this template i've spoken about this earlier in this youtube channel let's open up the solution so i'll use rider for this example so i'll use writer64 and dot to open the project in the current folder i have the solution opened up so let's navigate to the solution explorer and we can see the application in here we have the startup.cs the program.cs and a default controller let's open up the weather forecast controller the default template does not use any sensitive information so if i was to open the appsettings.json i cannot see any such configurations in here this is because all the data inside the controller is currently hard coded so let's update this code to start using some sensitive information from the configuration file since this controller deals with weather data i thought of integrating with an external weather service i have created an account in weatherapi.com which you can also do for free there is a certain limit on the number of requests but it's good enough for this example so if i go to my account i can see my api key under here so let's copy this since we'll be using this in a short while in our application to play around with this api you can choose the api explorer and start making request here the default controller does a forecast so we can use a similar api call in our application as well so if you were to paste in the api key and pass in a city name let's say london for example and you can give days so let's give 3 and say show response this gives back a whole lot of data which we can start using in our controllers now i have already written this code which you can go through if you are interested all i'm doing is making a call to this http client capturing this data converting it into c-sharp classes and returning back the data in the format that we need so let me copy and paste the code into this controller class and i'll quickly walk you through it so using ctrl a and ctrl v i have the full code pasted up here let's fix this namespace because i had created this in a different application now in here the temperature c of the weather forecast controller was an integer whereas the value coming from is a double so let me fix that with updating my model to saying this to be a double that's the only change that i had to do with the existing weather forecast data now everything else is compiling successfully so if we take a look at this code we have the weather forecast controller like before since this code now makes a call to an external api i have used the http client factory now we had seen in an earlier video the different usage patterns of http client and this falls under the basic usage pattern you can check out the video link here if you want to learn more on how best to use an i http client instance the weather api options passes in the url and the key that is the api key to make to this url so this is the options pattern in asp.net core and you can again check out the linked video if you want to learn more within the get method i create an http client and make a request to this url using the url the api key and passing in the city name and the number of days this was exactly how the request was being made in this particular case if you go back to the api dashboard you can see that this is the request that is being made to this api so i have made this exact same request from the new code that we have just written switching back to the application using this url and the http client it makes a request to get the data as json so it captures it as an object which is basically the return from this api so it has a forecast object and i have just captured the important data that i require so that has a forecast day and a certain properties of the day and the temperature for that particular day let's not go too much into the details of this format but we just convert this back into the data that we want so we get a date summary and the temperature that's all that the ui needs in this particular example to get this to work since i have added the http client factory and api options we'll need to update the app settings.json and also the services and also the startup.cs so let's first navigate to startup.cs class and configure the http client factory to do that right after configure services let's make a call services dot add http client this will make sure to inject in the http client factory now to configure the api options let's add in this code which basically configures this class and reads from the configuration file and gets the section which is of the name weather api so this is an hard coded text that is right along with that particular class now since this is looking at the config file we also need to update the app settings.json file let me paste in the configuration that's required so this is the weather api with the hierarchical structure and it takes in a url and the key the url is the base url to the api and the key is the secret that we just saw from the dashboard let's build and run this application to make sure it's working as expected the application is running successfully so if we navigate back to the source code and put a breakpoint inside the weather forecast controller let's say right up at the constructor and come back to the application and navigate to fetch data this is what is calling the controller method so the breakpoint is hit and we can see the http client factory is injected in successfully and also the weather api options this has the value that we set up in the appsettings.config so this has the key and the url as part of the weather api options now this code will be using these details to make a request so let's continue the execution and we can see we have successful data coming back into the ui so this is real-time data using weather api and getting back the response in our application so let's say we have completely done this feature and we want to commit this and check this in into our source control so let's navigate back so let's stop this application and open up the app settings.json this file gets checked into the source control repository as well however we have the sensitive key as part of this configuration now since i am on a free subscription it might not be much of an issue but still i would stay away from checking this in into the source control because i could soon be hitting the limit if somebody else was to get this key and start making requests so how do i get this to work without checking in to the source control repository now one option i have seen many people use and i have used myself is to avoid checking this file with this secret so anytime i need to make changes i would first remove this key and then stage these files and commit and then put this key back in however this is error prone and you can sometimes make mistakes and accidentally check this in file with the secure information now this is something not you want to have so let's see how we can fix this so let's first commit this file and see how to fix this so let's initialize a repository add all the files inside here and for now i'll remove this key before committing so let's make sure i do that add it again and then say git commit and live a message now i have all the files committed to the repository i can copy back and paste in the key again this is a tedious and error-prone process so how do i achieve not having to do this over and over again anytime i make changes to my application the secret manager tool in asp.net core or dotnet core in general is exactly to solve this particular problem let's see how exactly we can do this the secret manager tool can be managed from the ui in visual studio but in the rider ide you might need an additional extension to do that now i have not installed that extension myself so let's switch over to visual studio to get started with secret manager i'll show you other ways of dealing with secrets as well later in this video so switching to visual studio where i have the existing solution opened let's right click on the project secret manager that we were just building and we can see an option here manage user secrets this is what initializes the secrets manager from visual studio so let's click that which opens up a secrets file now we can add in our configurations under here so let's navigate to appsettings.json copy this weather api and paste this inside secrets.json so this is just like a config file but you can leave all secret informations inside here now let's go back to app settings.json and make sure to remove this particular key from inside the application configuration now all i have done is move this inside secrets.json let's make sure to save this and run this application to see if it's still working as expected the application is running so let's switch back to fetch data and we can see the data coming back again if we come back to the application the appsettings.json does not have a secret key in here and also if we open up team explorer and look at the changes we can see that there is no secrets.json as part of the source control repository so the only change that has happened is to the secretmanager.cs proj so how is this all working under the hood with the secrets.json file to know that let's open up this change to understand what changed when we added the secrets manager so here you can see there is an additional user secrets id tag added under this particular project node this points to a good value inside of here so if you were to look at the secrets.json file and right click and say open containing folder we can see that this is no longer inside the source control in this particular case this is under my username the app data and user secrets folder under microsoft and this has a good as well here this guide is exactly the same as the goed that we found in the secretmanager.proj file so if you look at it it starts with a49 and ends with ee 6 and that's exactly the same up here as well now this is a simple json file that's stored as part of the user secrets folder dot net when it finds this particular tag looks for that file inside this id directory that's how this is working under the hoods the asp.net core application is wired to use the secret manager when the builder is set up so if i navigate back again to the rider ide because that's where it's easier to show into the dotnet code i can go into the program.cs class and navigate into the create default builder code if i navigate into the create default builder method you can see that there is a call to the secrets manager inside of here so it says if the environment is development configure adding user secrets for this app assembly and this is also optional so if that file doesn't exist that is not treated as an error now this is only applicable to the development environment so how does the application know which environment it is running in it uses a specific environment variable which is in this particular case defined under properties and inside the launch settings.json it uses the asp.net core underscore environment variable now in this file there are two profiles defined one when you're running for iis express and the other with the name secrets manager so let's try updating this environment to staging and running this application again so i'll press f5 and this application has started to run let's make sure to come back to weather forecast controller and make sure the breakpoint is still there now once you change the environment to staging the react part of the application with the default template is not going to work this is because if you navigate back to the application code you can see in startup.cs it configures the add spa static files and this works only in the development environment because in the real production environment it would be served directly from the server so let's ignore that part but make a request to the weather forecast endpoint which is the api in itself so this is going to make a request to the api and i can see that the weather api options in here will be having an empty value this is because in staging we don't have this value set however the url is set because that's there in appsettings.json which is why this value is coming in here so this follows a hierarchy to fill up these variables which we had seen earlier in the configuration video you can check that out to see how this works exactly now some development teams that i have worked with has the local environment has local dev instead of development development might be used for the dev environment that they use to deploy and test now in this case their asp.net core environment might be set to local dev but the secrets manager wouldn't work by default with this setting because it looks only at the development string so if you were to navigate back to program.cs we can explicitly configure this for local development and you will also need to make sure to remove it from the development environment now to configure this explicitly after the create default builder you can call the configure app configuration method take in a host context and also the configuration object so let's make sure to use brackets and set up the secrets manager inside here so let's make sure to close the brackets up here as well and then if the host context dot hosting environment dot environment name we can check against this particular value so in our case this is going to be local dev in this case we can call configure dot add use secrets this is exactly the same call that we saw earlier inside the asp.net core code we'll have to specify an assembly so we can use the generics and specify this program class itself now this is going to read from this particular project so now if i was to run this application again and put a breakpoint up here i can see the host context the environment name is local dev so if i step in that's going to configure the user secrets and i can continue execution however note that the react app is still broken because i have not configured it to work in this environment but i can navigate again to the api explicitly and make sure that the weather api options is getting successfully set so the api values is now being set again so the key is again set and we can have the application work as before so if i resume the execution i get the json data back as expected now earlier to configure the user secrets we had switched over to visual studio let's do that again and the secrets.json file is being managed up here but it's not necessary that you need visual studio to configure this so if you don't have visual studio you can use the command line to configure this as well so let's go into the secretmanager.proj remove the secrets id property make sure to save this navigate to the secrets json folder so use the open containing folder and also delete these files inside of here so this is deleted all the files that is under user secrets before you do this make sure you don't affect any of your other existing projects if you're already using the secret manager just delete that particular goed so let's close this file and make sure to not save it let's head off to the command line and we'll use the dotnet cli and pass in the user secrets keyword and then specifying init is going to initialize a secret file now this is going to exactly add this id again as we saw before this time it's a different good because we have initialized it again so if we open up the secrets manager.project file this id is back up here again as well now i can add the secrets value inside from command line as well to do that let's say dotnet specify user secrets and use the method set inside here now i need to add in the weather api and the api key in this case since we cannot specify a json object from here we'll use the flattened structure of json so that is by using a colon whenever there is an hierarchy so in our case since it is weather api and followed by the key i'll use a colon in between them and then specify key i can also set up the value here so to view that let's copy the value again and make sure to paste it inside here so let's press enter and that is going to add a user secret inside this particular secrets.json file if i was to navigate back into the secrets folder i can see this guide is again created if i navigate in the secrets.json file is already created for me there you could open this file directly inside a code editor and start editing it up here as well so in this case this is now stored as a flattened structure because that is how we added it let's navigate back to the ide make sure that the appsettings.json still doesn't have the key and run this application this is still in local dev so the react application is going to fail but let's directly hit the api and make sure it's working as expected so if i navigate to weather forecast endpoint i can see that the request is coming in and let's continue the execution and we successfully get back the json data which is hitting the weather api service now we have successfully set up the secrets.json file using command line there are other operations as well that you can perform so if you use dotnet and specify user secrets you can get all the help information regarding this particular command so you can clear initialize list remove and set what we used was set and init you can look at this documentation to understand more about each of these commands now anytime you use the cli it converts the file back into a flattened structure so if i navigate back to visual studio and let's say i right click and use the manage user secret it's going to open up the exact same file because this is linked via the identifier inside the cs proj now if i was to let's say copy this exactly and replace these values up here so let's make sure to copy the key and paste it inside here and delete this extra node so now we have it in the full json structure which is also going to make the application work but if i come in into the console and let's say use the dotnet user secrets and call in the remove and specify the weather api dot url because we don't need that as a secret this is going to automatically flatten this particular file so if i navigate back you can see that it has automatically flattened it into the flattened json structure so anytime you use the tool it's going to happen so make sure you are aware of that but both the cases is going to work exactly fine now once you have checked in this code let's go to team explorer make sure to ignore the launch settings changes that we made so let's say undo changes and also the program.cs which was basically to set up the environment and commit these changes let's say add secret manager and commit all these changes so let's say somebody else of your team is pulling this code and setting it up on their local machine so in that case they would not have the secrets.json by default to simulate that let's delete this directory which is existingly there inside the user.secrets so for someone new setting up this project if they were to come into the solution explorer and right click and say manage user secrets it's automatically going to set it up using that same id that's there as part of the cs project file which was checked in by the person who set this up first so you can see this starts with df0 and ends with 185 and this is the exact same folder that is automatically created so for all your team members who is using this project they'll have a good folder like this in their local development and you can set up the secrets.json from inside there this is done every time at the start of an application or anytime a secret is added into your application code i hope this helps you to understand how to manage sensitive information in your local development environment the secret manager allows us to follow secure coding practices and keep these sensitive information out of the configuration files one thing to note however is that the secrets.json file is not encrypted and should not be treated as a secure store it exists only for local development purposes inside your production environment you might use a service like keyword if you like this video please make sure to hit the like button and also drop in on the comments i'll make sure to answer if you have any questions or feedback if you want to be notified in the future of similar such videos please make sure to hit the subscribe button thank you and see you soon

Info

Channel: Rahul Nath

Views: 2,453

Rating: undefined out of 5

Keywords: asp.net core secret manager, asp.net core user secrets, .net core secret manager, secret manager .net, manage secrets in local development, local development secret keys, .net secret management, secret manager in .net core, how to use secret manager, sensitive information in local development, local dev secrets .net

Id: PkLLP2tcd28

Channel Id: undefined

Length: 21min 31sec (1291 seconds)

Published: Tue Feb 16 2021