Azure-Samples · bolt-io · Apr 11, 2023 · Apr 14, 2023
diff --git a/Extensions/KeyVaultConfigurationExtensions.cs b/Extensions/KeyVaultConfigurationExtensions.cs
@@ -0,0 +1,28 @@
+using Azure.Extensions.AspNetCore.Configuration.Secrets;
+using Azure.Identity;
+
+namespace MyAccountPage
+{
+    public static class KeyVaultConfigurationExtensions
+    {
+
+        public static IConfigurationBuilder ConfigureAzureKeyVault(this WebApplicationBuilder builder)
+        {
+            var kvName = builder.Configuration["KeyVault:Name"];
+            if (string.IsNullOrWhiteSpace(kvName))
+                return builder.Configuration;
+
+            var kvPrefix = builder.Configuration["KeyVault:SecretsPrefix"];
+            var kvReloadIntervalInMinutes = builder.Configuration.GetValue<int>("KeyVault:ReloadIntervalInMinutes", default);
+
+            TimeSpan? kvReloadInterval = kvReloadIntervalInMinutes == default ? null : new TimeSpan(hours: 0, minutes: kvReloadIntervalInMinutes, seconds: 0);
+
+            var kvOptions = new AzureKeyVaultConfigurationOptions() { ReloadInterval = kvReloadInterval, Manager = new KeyVault.PrefixKeyVaultSecretManager(kvPrefix) };
+
+            return builder.Configuration.AddAzureKeyVault(
+                vaultUri: new Uri($"https://{kvName}.vault.azure.net/"),
+                credential: new ChainedTokenCredential(new DefaultAzureCredential()
+                ), kvOptions);
+        }
+    }
+}
diff --git a/KeyVault/PrefixKeyVaultSecretManager.cs b/KeyVault/PrefixKeyVaultSecretManager.cs
@@ -0,0 +1,30 @@
+using Azure.Extensions.AspNetCore.Configuration.Secrets;
+using Azure.Security.KeyVault.Secrets;
+using Microsoft.IdentityModel.Tokens;
+
+namespace KeyVault
+{
+    public class PrefixKeyVaultSecretManager : KeyVaultSecretManager
+    {
+        private readonly string _prefix;
+
+
+        public PrefixKeyVaultSecretManager(string? prefix)
+        {
+            prefix ??= string.Empty;
+            _prefix = prefix.IsNullOrEmpty() || prefix.EndsWith("--") ? prefix : $"{prefix}--";
+        }
+
+        public override bool Load(SecretProperties secret)
+        {
+            return secret.Name.StartsWith(_prefix, StringComparison.OrdinalIgnoreCase);
+        }
+
+        public override string GetKey(KeyVaultSecret secret)
+        {
+            return secret.Name
+                .Substring(_prefix.Length)
+                .Replace("--", ConfigurationPath.KeyDelimiter);
+        }
+    }
+}
diff --git a/MyAccountPage.csproj b/MyAccountPage.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
@@ -7,11 +7,15 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.2.2" />
     <PackageReference Include="Microsoft.AspNetCore.Session" Version="2.2.0" />
     <PackageReference Include="Microsoft.Identity.Web" Version="2.5.0" />
     <PackageReference Include="Microsoft.Identity.Web.MicrosoftGraph" Version="2.5.0" />
     <PackageReference Include="Microsoft.Identity.Web.UI" Version="2.5.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.2" />
+
+    <PackageReference Include="Azure.Identity" Version="1.8.2" />
+    <PackageReference Include="Microsoft.Extensions.Configuration" Version="7.0.0" />
   </ItemGroup>
 
 </Project>
diff --git a/Program.cs b/Program.cs
@@ -2,14 +2,13 @@
 using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.UI;
-using Microsoft.Extensions.DependencyInjection;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using MyAccountPage;
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.Extensions.Options;
 
 var builder = WebApplication.CreateBuilder(args);
 
+builder.ConfigureAzureKeyVault();
+
 var initialScopes = builder.Configuration["MicrosoftGraph:Scopes"]?.Split(' ');
 
 // Add services to the container.

diff --git a/ReadmeFiles/Deployment.md b/ReadmeFiles/Deployment.md
@@ -196,6 +196,20 @@ And the last bit is your configuration for your Verified Employee credential and
     "Authority": "YOUR VC SERVICE AUTHORITY/DID"
   },
 ```
+
+If you want to add Azure Key Vault for storing secrets, add the following configuration section. 
+```
+"KeyVault": {
+  "Name": "YOUR KEYVAULT NAME",
+  "SecretsPrefix": "",
+  "ReloadIntervalInMinutes": 15
+},
+```
+The Name is the name of your key vault (not the full url).
+The secrets prefix is optional and can be used if you store multiple applications in the same key vault. 
+The reload interval is the interval in minutes the application will reload the secrets from the key vault. This is useful if you want to change the configuration without restarting the application.
+
+
 If you want to configure the app through web app configuration navigates to your created web app and select configuration on the left-hand side.
 
 ![Web Application Configuration](Images/WebApplicationConfiguration.png)

diff --git a/appsettings.json b/appsettings.json
@@ -50,6 +50,12 @@
     "Scopes": "user.read"
   },
 
+  "KeyVault": {
+    //"Name": "YOUR KEYVAULT NAME",
+    //"SecretsPrefix": "",
+    //"ReloadIntervalInMinutes": 15
+  },
+
   "Logging": {
     "LogLevel": {
       "Default": "Information",