Problem
The recommended way to load key-values from App Configuration is to specify only what your application needs to use in the Select clause(s). This can be achieved by name-spacing key-values with a prefix or placing key-values into separate labels and loading only the required labels.
This rule of thumb also applies to any Key Vault references that are stored in App Configuration. If your application loads a Key Vault reference, and you haven't configured the right credentials needed to fetch the secret value from Key Vault, an exception will be thrown. However, in certain situations, you may not be able to rely on filtering the Key Vault references and need more control over what happens after Key Vault references are fetched from App Configuration. Common scenarios when you might need a workaround for avoiding this exception:
- Your application doesn't need any secrets from Key Vault.
- Your application is configured to resolve some secrets from Key Vault, but you don't want your application to resolve any new Key Vault references that may be added to your App Config store in future.
Proposed Solution
Configuration provider should not implicitly hide the exception because that would leave the application configuration in an undefined state. In order to have a deterministic value for any unresolved Key Vault references, it's best that users explicitly control what they want to do when their application loads a Key Vault reference whose value should not be fetched from Key Vault.
For this, we can add a new API that allows users to set a callback which will be invoked to resolve Key Vault references that do not have a matching SecretClient registered.
public AzureAppConfigurationKeyVaultOptions SetSecretResolver(Func<Uri, ValueTask<string>> secretResolver)
This callback takes the Key Vault secret identifier (URI) as input and returns the value that will be added to your application configuration corresponding to the Key Vault reference key.
Usage Example
If your App Configuration has the following Key Vault references:
The secret resolver callback can be configured as follows:
var builder = new ConfigurationBuilder();
builder.AddAzureAppConfiguration(options =>
{
options.Connect(connectionString)
.Select("KeyVaultRef*")
.ConfigureKeyVault(kv =>
{
// Register a SecretClient for every Key Vault whose reference needs to be resolved
kv.Register(new SecretClient(new Uri("https://abc.vault.azure.net"), new DefaultAzureCredential()));
kv.Register(new SecretClient(new Uri("https://xyz.vault.azure.net"), new DefaultAzureCredential()));
kv.SetSecretResolver((secretIdentifier) =>
{
// Example: return the secret identifier to be used as value
return new ValueTask<string>(secretIdentifier.ToString());
});
});
Your application configuration will have the following key-values:
Notes
- If you choose to set the secret resolver callback, you need to explicitly register all SecretClient(s) that your application needs for resolving Key Vault references.
- If the secret resolver callback is set, it will be used as a fallback mechanism to resolve Key Vault references when no matching SecretClient has been registered.
- You cannot set both secret resolver and default credentials as fallback - only one of the following can be invoked:
SetSecretResolver()
SetCredential()
- The secret resolver callback will not be invoked if you get a failure status code from one of the registered SecretClient(s).
- If you don't want to resolve any Key Vault references, you still need to call
ConfigureKeyVault() and SetSecretResolver() in order to define the behavior you want for dealing with unresolvable Key Vault references.
cc: @abhilasharora @drago-draganov @jimmyca15 @zhenlan
Problem
The recommended way to load key-values from App Configuration is to specify only what your application needs to use in the
Selectclause(s). This can be achieved by name-spacing key-values with a prefix or placing key-values into separate labels and loading only the required labels.This rule of thumb also applies to any Key Vault references that are stored in App Configuration. If your application loads a Key Vault reference, and you haven't configured the right credentials needed to fetch the secret value from Key Vault, an exception will be thrown. However, in certain situations, you may not be able to rely on filtering the Key Vault references and need more control over what happens after Key Vault references are fetched from App Configuration. Common scenarios when you might need a workaround for avoiding this exception:
Proposed Solution
Configuration provider should not implicitly hide the exception because that would leave the application configuration in an undefined state. In order to have a deterministic value for any unresolved Key Vault references, it's best that users explicitly control what they want to do when their application loads a Key Vault reference whose value should not be fetched from Key Vault.
For this, we can add a new API that allows users to set a callback which will be invoked to resolve Key Vault references that do not have a matching SecretClient registered.
This callback takes the Key Vault secret identifier (URI) as input and returns the value that will be added to your application configuration corresponding to the Key Vault reference key.
Usage Example
If your App Configuration has the following Key Vault references:
The secret resolver callback can be configured as follows:
Your application configuration will have the following key-values:
Notes
SetSecretResolver()SetCredential()ConfigureKeyVault()andSetSecretResolver()in order to define the behavior you want for dealing with unresolvable Key Vault references.cc: @abhilasharora @drago-draganov @jimmyca15 @zhenlan