Aspnetcore: Add support for Azure.Storage.Blobs in ProtectKeysWithAzureKeyVault

Created on 24 Nov 2019  路  8Comments  路  Source: dotnet/aspnetcore

We are currently using 

    .AddDataProtection()
    .PersistKeysToAzureBlobStorage(new Uri(blobUri))
    .ProtectKeysWithAzureKeyVault(kv, keyVaultUri);

to enable scenarios like scale out and deployment swapping.

Currently PersistKeysToAzureBlobStorage and its package Microsoft.AspNetCore.DataProtection.AzureStorage depend on Microsoft.Azure.Storage.Blob. This aspect could also be implemented using Azure.Storage.Blobs.

In a similar way ProtectKeysWithAzureKeyVault and its package Microsoft.AspNetCore.DataProtection.AzureKeyVault depend on Microsoft.Azure.KeyVault. This aspect could also be implemented using Azure.Security.KeyVault.Keys.

As we understand the communication/versioning scheme these new libraries seem to be the way forward.

We would like to move to the new blob storage and key vault clients as well as Azure.Identity for all our MSI handling and would be happy if the data protection extensions could support that as well. Especially for new applications we would like to avoid the dependency on the "old" libraries.

area-dataprotection
Source
picture sopelt

Most helpful comment

https://github.com/dotnet/aspnetcore/pull/18203

picture blowdart on 25 Jan 2020
👍2

All 8 comments

Do you mean you want the data protection key ring totally in key vault? If so, no. Granting the ability to create keys in key vault to an app violates least privilege and it's api surface doesn't allow for the loading of multiple keys in a single operation, rather you have to page through each key, which would delay app startup by what we feel is an unacceptable time.

blowdart picture blowdart on 25 Nov 2019

Thank you for the swift reply @blowdart ! Sorry for the misunderstanding. That is not what I was asking for. I am aware that this wouldn't match the overall architecture and I agree that write permissions for apps/MSI are to be avoided at all cost.

I tried to clarify and add more information to my initial post.

sopelt picture sopelt on 25 Nov 2019

Oh just an update to the libraries we depend on? Yea, we can look at that for v5.

blowdart picture blowdart on 25 Nov 2019
👍2

https://github.com/dotnet/aspnetcore/pull/18203

blowdart picture blowdart on 25 Jan 2020
👍2

@blowdart this is done already now that the PR was merged correct?

HaoK picture HaoK on 30 Mar 2020

Closing as done

blowdart picture blowdart on 30 Mar 2020

@blowdart could you please clarify how this will be shipped? The PR references 3.1(.3) but I was not able to find a package/version which doesn't depend on the "old" storage lib. I was under the impression that this will be for 5.x but that label got removed.
Thanks!

sopelt picture sopelt on 20 Apr 2020

The new packages are released and now owned by the Azure SDK team. See this announcement for details: https://github.com/aspnet/Announcements/issues/409

BrennanConroy picture BrennanConroy on 20 Apr 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ermithun picture ermithun  路  3Comments
rynowak picture rynowak  路  3Comments
guardrex picture guardrex  路  3Comments
farhadibehnam picture farhadibehnam  路  3Comments
FourLeafClover picture FourLeafClover  路  3Comments