Blip.Starter.Common.Secrets 0.0.23

dotnet add package Blip.Starter.Common.Secrets --version 0.0.23                
NuGet\Install-Package Blip.Starter.Common.Secrets -Version 0.0.23                
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Blip.Starter.Common.Secrets" Version="0.0.23" />                
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add Blip.Starter.Common.Secrets --version 0.0.23                
#r "nuget: Blip.Starter.Common.Secrets, 0.0.23"                
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install Blip.Starter.Common.Secrets as a Cake Addin
#addin nuget:?package=Blip.Starter.Common.Secrets&version=0.0.23

// Install Blip.Starter.Common.Secrets as a Cake Tool
#tool nuget:?package=Blip.Starter.Common.Secrets&version=0.0.23                

Blip.Starter.Common.Secrets

First of all, please read all pages of our Secrets documentation.

Secrets are confidential information that should not be exposed in your code. This includes passwords, API keys, tokens, etc.

This library provides a way to retrieve secrets from a secret storage. Currently, we support Hashicorp Vault as our secret storage.

Follow the configuration above to be able to configure. Please also read our documentation about .NET secrets accesses.

Configuring your application

To configure your application you need to add Blip.Starter.Common.Secrets NuGet package to your project.

The NuGet package is published in our private NuGet repository: https://dev.azure.com/curupira/BLiP/_artifacts/feed/BlipNuget/NuGet/Blip.Starter.Common.Secrets/overview

To access it locally you will need to install Azure Artifacts credential provider.

To configure this library you need to provide a ISecretConfiguration. You may create yourself one programatically or use the DefaultSecretConfiguration which uses several environment variables to configure the library:

Environment Variable Description Default Value Available Values
SECRETS_ENABLED Enable or disable the secrets configuration true true, false
SECRETS_ENGINE The secret engine to be used. You can also disable by using Null or Noop engines. HashicorpVault HashicorpVault, Noop, Null
SECRETS_PATHS Additional paths to be used to retrieve secrets. "" Any valid string
SECRETS_ENABLE_TENANT_PATH To add default's tenant path as a secret path to load. false true, false
SECRETS_ENABLE_HOST_SERVICE_NAME_PATH To add default's application service name as a secret path to load. false true, false

Here's specific engine configuration:

Environment Variable Description Default Value Available Values
SECRETS_HASHICORP_VAULT_URL The URL of the Vault server. http://localhost:8200 Any valid URL
SECRETS_HASHICORP_VAULT_ROLE_NAME The role name to be used to authenticate in Vault. The same as the environment's HostServiceName which is configured by the environment variable HOST_SERVICE_NAME Any valid string
SECRETS_HASHICORP_VAULT_MOUNT_POINT The mount point to be used to authenticate in Vault. The same as the environment's ClusterName which is configured by the environment variable CLUSTER_NAME Any valid string
SECRETS_HASHICORP_VAULT_SERVICE_ACCOUNT_PATH The path to the service account file to be used to authenticate in Vault. /var/run/secrets/kubernetes.io/serviceaccount/token Any valid string

ASP.NET Core

To integrate this library with a ASP.NET Core application, go to your Startup.cs file or anywhere you configure the framework and add the following code:

// You can change the configuration if needed, but prefer changing the configuration with environment variables without hardcoding it to your code.
ISecretConfiguration configuration = DefaultSecretConfiguration();

// Creates the environment from environment variables.
var environment = Blip.Starter.Common.Env.Environment.FromEnvironmentVariables();

// Adds the secrets to the configuration builder, using the 'SecretConfigurationExtensions' extension.
// You may ommit all attributes and let the configuration be loaded from environment variables.
// You may also hardcode the engine to be used here, by providing the engine parameter, but prefer using the environment variable. 
builder.Configuration.AddSecrets(
    environment: environment,
    configuration: configuration);

Manual configuration

If you are not using ASP.NET you can configure the library manually and get the secrets dictionary manually, without integrating it with the Microsoft's ConfigurationBuilder:

// You can change the configuration if needed, but prefer changing the configuration with environment variables without hardcoding it to your code.
ISecretConfiguration configuration = DefaultSecretConfiguration();

// Creates the environment from environment variables.
var environment = Blip.Starter.Common.Env.Environment.FromEnvironmentVariables();

// Load the secrets from the secret storage.
// If disabled (default) this will return an empty dictionary.
var dictionary = await SecretStarter.Load(
    engine: SecretEngine.Vault,
    environment: environment,
    configuration: configuration);

// Access the secrets using the returned dictionary.
// Embedded json objects are also supported, but to access them you need to use ':' to separate the keys.
// Example: "secretKey:myEmbeddedSecret"

Writing custom secrets

Your application can also write custom secrets under a specific folder structure that fits your needs.

Step one

Insert the .AddVaultEngine on your DI registration so it can use an IEngine, like the example below.

//first scenario: you already initialized your environment and configuration values
            builder.Services.AddVaultEngine(
               environment: environment,
               configuration: configuration
               );

//or let the library initiate the service
             builder.Services.AddVaultEngine();

Step two

In your application code, you can receive an IEngine instance through the DI container, like the example below

        private readonly IEngine _engine;

        public WeatherForecastController(IEngine engine)
        {
            _engine = engine;
        }

Step three

Now you can invoke the methods with the following parameters

  • PatchSecretsAsync: allows you to update if the data already exists or create the secrets data
var path = "testbot@msging.net/sense-config";
Dictionary<string, object> dictionaryToSave = new Dictionary<string, object>();

await _engine.PatchSecretsAsync(path, dictionaryToSave);
  • CreateSecretsAsync: allows you to create the secrets data and/or replace all the stored date
var path = "testbot@msging.net/sense-config";
Dictionary<string, object> dictionaryToSave = new Dictionary<string, object>();

await _engine.CreateSecretsAsync(path, dictionaryToSave);

Reading custom secrets

All custom secrets will be stored on vault in a specific directory. If your application is named msging-server and is inside the take cluster, if you save to the path testbot@msging.net/sense-config the final stored key value will be the following:

take / msging-server / custom / testbot@msging.net / sense-configs

To read you may use the ReadSecretsAsync from the IEngine:

var path = "testbot@msging.net/sense-config";

// Using same values as the writing example, this will read the secret on the custom's secret path:
// take / msging-server / custom / testbot@msging.net / sense-configs
var secrets = await _engine.ReadSecretAsync(path);

Adding secrets to the secret storage

To add new secrets in our production secret storage you must create a new service request.

TODO: add SR link and owner team

Product Compatible and additional computed target framework versions.
.NET net6.0 is compatible.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
0.0.23 5,959 7/25/2024
0.0.20 7,629 2/27/2024
0.0.19 136 2/22/2024
0.0.18 125 1/31/2024
0.0.17 184 12/28/2023
0.0.16 192 11/6/2023
0.0.15 144 10/19/2023
0.0.14 7,252 10/10/2023
0.0.12 169 9/26/2023