Safeguarding Secrets while building for Azure<\/h2>\n
Most of us know it\u2019s a best practice to keep secret settings like connection strings, domain passwords, or other credentials as a runtime configuration and outside the source code. Azure Key Vault provides a security location to safeguard keys and other secrets used by cloud apps. Azure App services recently added support for Managed Service identity<\/a> which means apps running on App Service can easily get authorized to access a Key Vault and other AAD-protected resources so you no longer need to store secrets visibility in environment variables.<\/p>\n If you do this though, getting your local dev environment setup with the right secrets can be a pain, especially if you work in a team. We hear many developers distribute secrets for shared dev services through email or just check them into source code. So we created the App Authentication Extension<\/a> to make it easy to develop apps locally while keeping your secrets in Key Vault. With the extension installed, your locally running app uses the identity signed into Visual Studio to get secrets you are authorized to access directly from Key Vault. This works great in a team environment where you might have security group for the dev team with access to a dev environment Key Vault.<\/p>\n In ASP.NET applications the ASP.NET Key Vault and User Secret configuration builders with .NET 4.7.1<\/a> is a NuGet package that allows secret app settings to be saved in secure configuration stores instead of in web.config as plaintext, without changing application source code. In ASP.NET Core applications there is a small code change, to load Key Vault as a configuration provider and once you do this you are set. This change isn\u2019t done yet, but we\u2019re hoping to eliminate it soon.<\/p>\n Here are a couple of walkthroughs that show you how everything works:<\/p>\n We also wanted to make it easier for devs to find secrets in their code to encourage moving secrets to more secure locations like User Secrets<\/a> or Azure Key Vault.<\/a> The Credential Scan Code Analyzer<\/a> is a very early preview that can detect Storage access keys, SAS tokens, API management keys, Cosmos DB access keys, AAD Service principal keys, connection strings for SQL, Azure SQL, Service Bus, Azure Logic apps, BizTalk server, and various other credential types. As you edit your code the analyzer scans your code and immediately warns you about secrets it finds in any open documents with warnings in the error list and in the Build and Code Analysis at Commit time.\u00a0It\u2019s something we\u2019ve been developing, utilizing, and improving within Microsoft for some time now.<\/p>\n The Credential Scan Code Analyzer<\/a> is a preview and ships in the experimental DevLabs extension, Continuous Delivery Tools for Visual Studio<\/a>. This is because we know this is an important area that goes beyond open documents and can stretch all the way into your CI environment. Rather than waiting, we released an experimental version now because we think it\u2019s useful and we want your feedback on how you would use this in your environment.<\/p>\n Please install these extensions and give the walkthroughs a try to let us know what you think.<\/p>\n![\"Azure](\"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-content\/uploads\/sites\/4\/2017\/11\/Azure-key-vault.png\" "\\"Azure")
<\/a><\/p>\n![\"Azure](\"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-content\/uploads\/sites\/4\/2017\/11\/Azure-service-authentication-account-selection-setting-in-Tools-Options1.png\" "\\"Azure")
<\/a><\/p>\n![\"App](\"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-content\/uploads\/sites\/4\/2017\/11\/App-Settings.png\" "\\"App")
<\/a><\/p>\n\n
Credential Scanner (CredScan) Code Analyzer Preview<\/h2>\n
![](\"https:\/\/devblogs.microsoft.com\/visualstudio\/wp-content\/uploads\/sites\/4\/2017\/11\/Catherine-Wang-e1510874582606.jpg\")
<\/td>\n