I builded a REST-API which uploads images to my azure storage container. My azure storage container is secured an access key, which I use in my POST method like this:
StorageCredentials storageCredentials = new StorageCredentials("[storage]", "[key]");
Now I want to deploy my service to the azure cloud - but I dont know how to manage the security issue with my plain written access key in the POST method.
Where should I save sensitive data like this? Or are my worries wrong
and this is not an issue?
Info:
The REST-API is a ASP.NET Web API Project
Azure portal => your web app => Configuration => Application Settings
That is the simplest.
You can also use a keyvault, but the application settings are the easiest by far, and perfectly fine for this case.
For ASP.NET and ASP.NET Core developers, setting app settings in App
Service are like setting them in in Web.config or
appsettings.json, but the values in App Service override the ones in
Web.config or appsettings.json
You can read more about it here: https://learn.microsoft.com/bs-latn-ba/azure/app-service/configure-common
Related
I have asp.net core web API and we are using application insight to log request, response, customEvents and exception. In appsettings.json I have added instrumentation key like
"ApplicationInsights": {
"InstrumentationKey": "xxxx-xxxxxx-xxxxx-xxxxxxx"
}
I want remove this section and read this key from Keyvalut.
ApplicationInsight instance should be successfully injected through DI in Startup.cs
As the InstrumentationKey is just anither value in the configuration you have few options.
you can create store the InstrumentationKey in the secrets.json file where this file will not be pushed to source control. so the this can be helpful when you are debugging locally.
once the local setup is done, and when you go to publish your app, you can keep the InstrumentationKey in the Web App Configuration in Azure web App, or you can use the Azure App configuration which is provided by Azure (Azure App Configuration) or directly use the Key-Vault.
In order to achieve this you must enable Managed Identities in the Wepp App and grant permission to Access the key-vault.
You can follow this to setup Managed Identities
I secured my ASP.NET Core Azure Function App by modifying the configuration in Startup.cs and calling the Microsoft.Identity.Web's AddAuthentiction and AddMicrosoftIdentityWebApi extension methods on the services collection object (similar to the approach used in the AzureFunctions example in the Tests directory of the GitHub repo of Microsoft.Identity.Web). This allows me to securely call the Azure Function API from my Blazor Server app using Microsoft Identity Platform. The Azure Functions API does not call any downstream api.
This approach works perfectly fine without the need to enable the Authentication option under Function App - Setting in Azure Portal and specifying an identity provider there and linking it to an Azure AD app registration.
Does somebody know what does enabling authentication and adding an identity provider under settings of the Function App in the Azure Portal do compared to the manual configuration in Startup.cs? If I understand correctly, it does the same thing but implicitly instead of explicitly in the Startup.cs.
That option, sometimes referred as "Easy Auth" enables an additional container (or program) that will validate the token, so you don't have to. Request will first go to that middleware application and then, if validation passes, will go to your app.
For details see the docs page: https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
That option is common to the webapps and function apps. The code runs separately, so it's not part of your application middleware chain.
I faced with follow problem hope I can find the way for solving with your help.
I created follow Azure resources:
WebApp Service (Asp.Net Core web application)
FileStorage
VirtualNetwork
All resources created in one resources group. I trying to upload file from my WebApp to File storage via VNet (I need to secure storage so it must be unaccessable from outside internet).
Virtual Network have subnet, wich have setup a Microsoft.Storage - Service endpoints. This sub net is included In Storage firewall settings.
For work with Azure storage I use Microsoft.WindowsAzure.Storage package.
When I trying to get access to storage from webapp I get 403 error.
For access I use 'primary file service endpoint' - https://myaccount.file.core.windows.net/
What I have missed ?
Thnx for any advice !
Azure File shares can’t be accessed from Azure App Service web apps. Refer this feedback item where the feature was declined.
I have been struggling to find some resources that help explain, how we use the File Storage with Web App Service.
There are ways to use it with the old Web Roles, Check here (Using the Azure File Service in your Cloud Services (Web and Worker Roles)).
However, there is NO OnStart() methods in "Azure Web Service".
If you're looking for mapping a drive to your Azure File Service share in your Web App using SMB protocol, then I don't think you can do as of today.
What you could do is make use of Azure File Service REST API and manipulate shares and files that way. You don't have to actually use the REST API per se; you can simply use the latest version of .Net Storage Client library which is a wrapper over REST API.
Please see this link for more details on how to use this using Storage Client library: https://azure.microsoft.com/en-in/documentation/articles/storage-dotnet-how-to-use-files/.
Yes, you can. In Linux Web Apps and Windows Containers Web Apps only.
In the Web App, under Application Settings you will find Mount storage (Preview) section where you can mount Storage account. Works like a charm.
I have a c# API service deployed to an Azure cloud service. It uses various settings configured in the csdef and cscfg files, and I can update them in the settings section of the azure portal. I have a need to programatically update some settings (to change a password, for example).
I know I can do this using PowerShell, but can I do it using just C# code in my API?
See Microsoft.WindowsAzure.Management.Compute.ComputeManagementClient.ChangeConfigurationBySlot(...)