It is critical not to store passwords or API keys in our code.
For all environments for the development process: (QA, UAT, Pre-Production, and Production), it is easier to place it in a safe place (Azure Key Vault for example), and access it during deployment.
For developer machines, we can use Secret Manager
, or sometimes called User Secrets
, which has a built-in support in ASP.NET
.
Enable Secret Storage:
In the project you want to add a secret run this command:
dotnet user-secrets init
This will generate a secret file, which is a json file called secrets.json
, in a folder with a GUID generated name.
The location of the folder is
Operating System | Location |
---|---|
Windows | %APPDATA%\Microsoft\UserSecrets<user_secrets_id>\secrets.json |
Linux/MacOS | ~/.microsoft/usersecrets//secrets.json |
And that generated GUID will be added to the project file .csproj
as follows
<UserSecretsId>d87e6676-57eb-45c8-98d4-c6a3be58debb</UserSecretsId>
Add a key secret
Let's supposed we want to add a key-api for google-map, where the appsettings.json
file the entry will look like:
"googleMapApi" : {
"apiKey": "Enter anything here",
"apiUrl": "https://maps.googleapis.com/maps/api/json?"
}
To add that, we run the following command line
dotnet user-secrets set "googleMapApi:apiKey" "<real key goes here>"
Access a secret in ASP.NET
For ASP.NET application, the WebApplicationBuilder
add most of the configuration providers that are used by developers like environment variable provider, appsetting provider, command-line provider, and last but not least the user secret provider.
So, in ASP.NET you access it as any other configuration setting using IConfiguration
injected by DI:
// pass this to the constructor to be injected by DI
private readonly IConfiguration _configuration;
// and then inside the controller
var key = _configuration["googleMapApi:apiKey"]
// or the following:
var key = _configuration.GetSection("googleMapApi")["apiKey"];
Access a secret in console application
.NET console application don't provide built-in capability to read the user secrets or even any configuration provider, and we have to add that ability by adding the respective packages.
Add the following packages for a console app:
dotnet add package Microsoft.Extensions.Configuration
dotnet add package Microsoft.Extentions.Configuration.Json
dotnet add package Microsoft.Extensions.Configuration.UserSecrets
and then add the following code
var configBuilder = new ConfigurationBuilder()
.AddJsonFile("appsettings.json", false, true)
.AddUserSecrets(Assembly.GetExecutingAssembly(), true);
var config = configBuilder.Build();
// then access it as follows
var key = config["googleMapApi:apiKey"];
And then you can access it as you access in ASP.NET