HoneyDrunk.Vault.Providers.AzureKeyVault
0.7.0
dotnet add package HoneyDrunk.Vault.Providers.AzureKeyVault --version 0.7.0
NuGet\Install-Package HoneyDrunk.Vault.Providers.AzureKeyVault -Version 0.7.0
<PackageReference Include="HoneyDrunk.Vault.Providers.AzureKeyVault" Version="0.7.0" />
<PackageVersion Include="HoneyDrunk.Vault.Providers.AzureKeyVault" Version="0.7.0" />
<PackageReference Include="HoneyDrunk.Vault.Providers.AzureKeyVault" />
paket add HoneyDrunk.Vault.Providers.AzureKeyVault --version 0.7.0
#r "nuget: HoneyDrunk.Vault.Providers.AzureKeyVault, 0.7.0"
#:package HoneyDrunk.Vault.Providers.AzureKeyVault@0.7.0
#addin nuget:?package=HoneyDrunk.Vault.Providers.AzureKeyVault&version=0.7.0
#tool nuget:?package=HoneyDrunk.Vault.Providers.AzureKeyVault&version=0.7.0
HoneyDrunk.Vault.Providers.AzureKeyVault
Azure Key Vault provider for HoneyDrunk.Vault. Recommended for Azure hosted applications.
Overview
This provider integrates HoneyDrunk.Vault with Azure Key Vault, giving you secure, versioned secret retrieval through the standard Vault abstractions (ISecretStore, SecretIdentifier, SecretValue). It is the preferred provider for applications running in Azure App Service, Azure Container Apps, AKS or any Azure VM with Managed Identity enabled.
Features:
- Managed Identity authentication (best practice for production)
- Optional Service Principal authentication for local development
- Versioned secret retrieval
- Azure RBAC and access policy support
- Integration with Vault caching, resilience and telemetry
- Zero secret values ever logged or emitted in telemetry
Installation
dotnet add package HoneyDrunk.Vault.Providers.AzureKeyVault
Prerequisites
- Azure subscription
- Azure Key Vault instance
- One of:
- Managed Identity enabled on your application (recommended)
- Service Principal with secret read permissions
Quick Start
Using Managed Identity (Recommended)
using HoneyDrunk.Vault.Providers.AzureKeyVault.Extensions;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddVaultWithAzureKeyVault(options =>
{
options.VaultUri = new Uri("https://my-vault.vault.azure.net/");
options.UseManagedIdentity = true;
});
var app = builder.Build();
Using Service Principal (Local Dev or Non-Azure Hosts)
builder.Services.AddVaultWithAzureKeyVault(options =>
{
options.VaultUri = new Uri("https://my-vault.vault.azure.net/");
options.TenantId = builder.Configuration["AzureAd:TenantId"];
options.ClientId = builder.Configuration["AzureAd:ClientId"];
// ClientSecret should come from secure config, not source code
options.UseManagedIdentity = false;
});
Configuration Options
public sealed class AzureKeyVaultOptions
{
public Uri? VaultUri { get; set; }
public bool UseManagedIdentity { get; set; } = true;
public string? TenantId { get; set; }
public string? ClientId { get; set; }
public string? ClientSecret { get; set; }
}
If UseManagedIdentity = true, Vault uses DefaultAzureCredential and falls back through the Azure identity chain (Managed Identity, Azure CLI login, Visual Studio login, etc).
Setup Instructions
1. Create Secrets in Key Vault
az keyvault secret set \
--vault-name my-vault \
--name db-connection-string \
--value "Server=..."
Later updates automatically create new versions.
2. Grant Access to Your Application
# For Managed Identity
az keyvault set-policy \
--name my-vault \
--object-id <identity-object-id> \
--secret-permissions get list
# For Service Principal
az keyvault set-policy \
--name my-vault \
--spn <client-id> \
--secret-permissions get list
For secret-only access, certificate and key permissions are not required.
Usage Examples
Get the Latest Version of a Secret
var secret = await secretStore.GetSecretAsync(
new SecretIdentifier("db-connection-string"),
ct);
Console.WriteLine(secret.Value.Length);
Azure Key Vault returns the latest version when no version is specified.
Get a Specific Version
var secret = await secretStore.GetSecretAsync(
new SecretIdentifier("api-key", "3f92c96c7d9e4f1e9a5e2bb0a1b7e3a1"),
ct);
List Versions
var versions = await secretStore.ListSecretVersionsAsync("api-key", ct);
foreach (var version in versions)
{
Console.WriteLine($"Version: {version.Version}, Created: {version.CreatedOn}");
}
Gracefully Handle Missing Secrets
var result = await secretStore.TryGetSecretAsync(
new SecretIdentifier("optional-secret"),
ct);
if (result.IsSuccess)
Console.WriteLine("Secret available");
else
Console.WriteLine($"Not available: {result.ErrorMessage}");
Access Control
Managed Identity
az keyvault set-policy \
--name my-vault \
--object-id <identity-object-id> \
--secret-permissions get list
Service Principal
az keyvault set-policy \
--name my-vault \
--spn <client-id> \
--secret-permissions get list
For secret-only access, certificate and key permissions are not required.
Configuration Example
{
"Vault": {
"AzureKeyVault": {
"VaultUri": "https://my-vault.vault.azure.net/",
"UseManagedIdentity": true
}
}
}
You can bind this in AddVaultWithAzureKeyVault.
Best Practices
- Prefer Managed Identity for production
- Enable Soft Delete and Purge Protection on your vault
- Use secret versions intentionally for rollback
- Do not log secret values, only names
- Enable Vault caching to reduce Key Vault API usage
- Use Private Endpoints for secure and high performance networking
- Grant least privilege access (only
getandlistfor secrets)
Troubleshooting
Authentication Issues
MsalServiceException: AADSTS700016: Application not found
- Verify
TenantId,ClientIdandClientSecretif using a Service Principal - Ensure Managed Identity is enabled if using MI
- Check Key Vault firewall or private endpoint settings
Permission Denied
KeyVaultErrorException: Access denied
- Ensure
getandlistpermissions are granted for secrets - Verify the identity object ID used in
set-policy
Timeouts or Rate Limiting
- Ensure Vault caching is enabled
- Prefer Private Endpoints for low latency
- Avoid repeatedly fetching the same secret in a hot path
Related Providers
License
MIT License
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net10.0
- Azure.Identity (>= 1.21.0)
- Azure.Security.KeyVault.Secrets (>= 4.11.0)
- HoneyDrunk.Vault (>= 0.7.0)
- HoneyDrunk.Vault.Providers.File (>= 0.7.0)
NuGet packages (4)
Showing the top 4 NuGet packages that depend on HoneyDrunk.Vault.Providers.AzureKeyVault:
| Package | Downloads |
|---|---|
|
HoneyDrunk.Data
Provider-neutral persistence orchestration layer for HoneyDrunk.OS Grid. Complete architecture overhaul with Kernel integration for tenant resolution, correlation tracking, and telemetry enrichment. Does not depend on any specific database provider. |
|
|
HoneyDrunk.Auth
Authentication and authorization library for .NET. Provides JWT Bearer token validation, policy-based authorization, Vault-backed signing key management, and integration with HoneyDrunk.Kernel for Grid-aware context propagation. |
|
|
HoneyDrunk.Data.Migrations
Migration tooling for HoneyDrunk.Data. Complete architecture overhaul with design-time DbContext factories and migration runner helpers for CI/CD scenarios. Not intended for runtime use. |
|
|
HoneyDrunk.Web.Rest.AspNetCore
ASP.NET Core integration for HoneyDrunk REST conventions. Provides middleware for correlation propagation, exception mapping, and request logging. Includes MVC filters for model validation, minimal API endpoint conventions, and JSON serialization defaults. Ensures consistent API responses across all services. |
GitHub repositories
This package is not used by any popular GitHub repositories.
v0.7.0: AzureKeyVaultSecretStore drops the redundant TryGetSecretAsync / FetchSecretAsync / TryFetchSecretAsync / ListVersionsAsync overrides now that ISecretStore / ISecretProvider supply them as default interface methods (breaking — see HoneyDrunk.Vault 0.7.0 notes). First test coverage added for AzureKeyVaultConfigSource. See CHANGELOG.md for details.