Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

.NET Core - How To Manage User Secrets Within A Team

Tags:

.net-core

The storage of secrets for .NET Core is well documented.

However, in the .NET Core world, I cannot find a good article on how such information is shared amongst a team.

Say, for example, we have a .NET Core Project that has information stored within secrets.jsonand there are 10 developers using that project.

Options I can think of:

  1. Check something into source control - seems to defeat the point (apart from not accidentially publishing test settings to live).

  2. Just talk between ourselves - has the feeling that if someone adds a secret and goes on holiday, other devs will waste time figuring out what's missing. It might also cause issue if two developers add something around the same time.

  3. Ignore secrets.json and always use Azure KeyVault - even for dev. More complicated and I haven't seen this recommended anywhere, but it would also work for building on build servers. The downside is that the Vault could get cluttered with unused settings and it not be clear which need replicating in live.

There may be other options I've missed.

What is the best way to share/ synchronise secrets with other developers?

EDIT FOLLOWING ANSWER:

Going the KeyVault route will work. As stated, this requires additional setup (using certificates, for example). Further details in the Microsoft Docs.

like image 359
JsAndDotNet Avatar asked Dec 16 '19 09:12

JsAndDotNet

People also ask

Where are .NET user secrets stored?

In a Windows machine, they are stored in the %APPDATA%\Microsoft\UserSecrets\<user_secrets_id>\secrets. json file. In a Linux/macOS machine, they are stored in the ~/. microsoft/usersecrets/<user_secrets_id>/secrets.

How do I access user secrets in Visual Studio?

In Visual Studio, right-click the project in Solution Explorer, and select Manage User Secrets from the context menu. This gesture adds a UserSecretsId element, populated with a GUID, to the project file.

How do I add a user to secrets?

By far the easiest way to use User Secrets is via Visual Studio. Right click your entry project and select “Manage User Secrets”. Visual Studio will then work out the rest, installing any packages you require and setting up the secrets file! Easy!

1 Answers

Although this is biassed: go for 3, use the key vault.

Diclaimer

There are many blog-post and documentation on this subject, here I'll address a very narrow portion of the scope of the question.

An alternative recommendation would be or use methodology like GitOps/SOPS as described here

As for the Vault option, it has some benefits of which I will name some:

  • secrets are stored in a central place, making governance and rotation easier
  • secrets are not known to developers, or only at a need to know basis, which makes it more secure
  • secrets, if implemented correctly, are no part of the version control, which also makes it more secure.

some con's

  • it takes some time to set up properly
  • it's less flexible, especially it the process isn't in place yet.
  • secrets, if implemented correctly, are no part of the version control, which makes recovery harder.

To elaborate on that last one: there are scenario's where you need a "stable" and recoverable secret, e.g.: when a client needs to integrate in a specific manner, which require you to have control over a secret. Although security-wise this is not best practice, it is quite common. A GitOps/SOPS is more suited in that scenario.

In general, the more developers have access to the secrets, the more insecure it is.

Ideally, if you set it up correctly, you'll end up with the same way of dealing with this across all your environments (test, staging prod). In the end, the solution and process should be independent of the environment, to maximize production stability.

But as I said; this is biassed and opinion based.

like image 167
Stefan Avatar answered Nov 24 '22 04:11

Stefan
Sign in to Comment

Related questions

BackgroundService tasks not running on separate threads in .NET Core Generic Host
Does ConfigurationManager work with ASP.NET core's appsettings.json?
How to configure a Serilog sink for logging to CloudWatch
Atata selenium web driver can't find controls by id on angular app
Analog of CreatedAtAction for update operation
How to update AspNetCore from 2.2.0 to 2.2.2
Aure Function App returns 'The credentials supplied to the package were not recognized' when using pfx file
MSBUILD fails from tasks.json yet works from from VS Code terminal
ASP.NET Core - Use both UseDeveloperExceptionPage() and custom logging
Mixing EF Core Convensions and DBFunction for a JObject property
An assembly specified in the application dependencies manifest was not found
Deploy console webjob app to azure App service containing a webapi using azure devops pipelines
How to force Swagger/Swashbuckle to append an API key?
Is it possible to inject IHttpClientFactory to a strongly typed client?
How to directly invoke F# compiler on .NET Core?
.Net core X-Forwarded-Proto header doesn't pass to Nginx properly
Compile error with WPF .net Core 3.0 when adding .resx files
Write a search query which is case insensitive in EF Core?
Roslyn compiler server reports different hash version than build task
Json Format for a TimeSpan that can be bound using Microsoft.Extensions.Configuration

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!