In this post, I show how to keep secrets out of your source code in Visual Studio from version 2019 or above. It is never a good idea to store secrets or passwords in your project’s source code. In an ASP.NET Core development environment, you can use the Secret Manager tool to store sensitive data.
Introduction to Secret Manager
The Secret Manager tool stores your application secrets in a secrets.json
file located in your development machine’s %appdata%\Microsoft\UserSecrets\\
directory.
So, the secret Manager is only intended to be used in a development environment. It does not encrypt the stored keys and values. Once your app is in production, you can, of course, use a service like the Azure Key Vault.
Using Secret Manager
You can access secrets stored using Secret Manager the same way you would pull data from your appsettings.json
file. However, because the secrets are not stored in your project’s directory, you run less risk of accidentally checking your passwords in to a source control repository.
To enable the Secret Manager utility, open your project in Visual Studio. Then, locate your project in the Solution Explorer. Right click the project and select Manager User Secrets. This will automatically generate a UserSecretsId in your project’s .csproj
configuration file, and it will open the associated secrets.json
file.
Suppose you must include a Client ID and Secret in order to access a private API. Rather than including them directly in your C# source code, you could add them to secrets.json
as follows:
{
"ClientId": "myclientid",
"ClientSecret": "00aaaa0a-00aa-00aa-00aa-00aaaa0000aa"
}
Access Secrets in Startup
To access the data stored in the Secret Manager, simply use the Configuration API available in .NET Core. Keys are often needed as part of a project’s Startup routine, so open your project’s Startup.cs
or Program.cs
for project in NET6 or above.
If you are not already using it, go ahead an inject an instance of the Configuration provider interface into the Startup constructor.
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// ...
}
Now, you can use the instance in either the ConfigureServices()
method or the Configure()
method of Startup.cs
or Program.cs
using the following syntax.
var value = Configuration["key"];
For example, to access the values for the two keys in the Secret Manager, ClientId
and ClientSecret
, you might do something similar to the following.
string Id = Configuration["ClientId"]; //myclientid
string Secret = Configuration["ClientSecret"]; //00aaaa0a-00aa-00aa-00aa-00aaaa0000aa
The Id
variable will now hold the value associated with the ClientId
key from secrets.json
. In other words, Id
is a string variable with value myclientid
. The string variable Secret
has a value of 00aaaa0a-00aa-00aa-00aa-00aaaa0000aa
.
Access Secrets in Blazor and Razor Pages
To use the data stored in Secret Manager in a Razor page, simply inject an instance of IConfiguration
into the page.
@inject IConfiguration Configuration
Now, you can access your secrets by using Razor syntax and the Configuration API. For example, the following would display the ClientSecret
.
<p>Your secret is @Configuration["ClientSecret"]</p>
Wrap up
In conclusion, in this post we saw how to keep secrets out of source code using the specific function available in Visual Studio 2019 or above.