Using Azure Key Vault in ASP.NET Core 2.0 with the options pattern

The best way to store secrets in your app is not to store secrets in your app

Almost every web application needs some kind of secrets like a SQL Database connection string or the primary key of a Storage Account in order to communicate with external services.

Certainly we don’t store these secrets within our source code since this would expose them to every developer that has access to the code. In Azure we could store the secrets within the Application Settings in the Azure Portal:


But if a secret is used in multiple application and we need to change it (e. g. regenerate a storage account key) we would have to do that in multiple places. A better place to store secrets in Azure is the Key Vault.

Instead of storing each secret within our app we store them in the Key Vault and configure our app to access the secrets in the vault. Now we have a single place where we can manage our secrets.

Lets take a look how we can access those secrets in an ASP.NET Core 2.0 web application without introducing a dependency to Key Vault in the class that uses it. To create a vault, store secrets to it and create a service principal for the access policy see Get started with Azure Key Vault.

Our secret is stored in a class called ValueSettings:

public sealed class ValueSettings
	public string TestSecret { get; set; }

There is a ValuesController with one HttpGet method that returns our secret:

public class ValuesController : Controller
    private readonly ValueSettings _valueSettings;

    public ValuesController(IOptions<ValueSettings> valueSettings)
        _valueSettings = valueSettings.Value;

    public IActionResult Get()
        return Ok(_valueSettings.TestSecret);

As you can see in line 6 the controller uses the options pattern to inject the actual settings. The controller doesn’t know where the secret is comming from and doesn’t have any dependencies to Azure Key Vault.

Now lets take a look how we need to configure our application for that. First we need to store the vault settings in our appsettings.json:

  "KeyVault": {
    "Vault": "",
    "ClientId": "myclientid",
    "ClientSecret": "myclientsecret"

We also have a class that represents these settings:

public class KeyVaultSettings
    public string Vault { get; set; }
    public string ClientId { get; set; }
    public string ClientSecret { get; set; }

Now to configure the key vault we use the AddAzureKeyVault extension method in the Programm.cs:

public class Program
    public static void Main(string[] args)

    public static IWebHost BuildWebHost(string[] args) =>
            .ConfigureAppConfiguration((context, config) =>
                    .AddJsonFile("appsettings.json", optional: false)

                var builtConfig = config.Build();
                var settings = builtConfig.GetSection("KeyVault").Get();

                    settings.Vault, settings.ClientId, settings.ClientSecret);


And finally this is how our Startup looks like:

public class Startup
    public Startup(IConfiguration configuration)
        Configuration = configuration;   

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)


    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        if (env.IsDevelopment())


You can download the complete example from my GitHub repository.

5 thoughts on “Using Azure Key Vault in ASP.NET Core 2.0 with the options pattern”

  1. I remember, we talked about it last week in our Office with Andre. We all were suprised how easy it is to integrate Azure KeyVault in ASP.NET Core.
    Great Post about it!

    Liked by 1 person

  2. I’ve noticed that the IOptions value does not change when the secret unless you restart the web app.

    Is there a way to get the value to reflect the current secret instead of the value at startup?


  3. Nice post Martin. It helped me a lot. You just missed the in the IOptions on the Controller’s constructor. It should be “IOptions” in this case, based on your Github sample.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s