Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature suggestion: Foundatio component for key vaults #298

Open
ErikApption opened this issue Feb 28, 2024 · 9 comments
Open

Feature suggestion: Foundatio component for key vaults #298

ErikApption opened this issue Feb 28, 2024 · 9 comments

Comments

@ErikApption
Copy link

ErikApption commented Feb 28, 2024
edited

Would love to have an abstraction layer around azure key vault and provide a wrapper to avoid directly referencing Azure Key Vault, esp since this is a critical component in almost every project.
I think a Foundatio component support at least:

  • AWS Secret Manager
  • Azure Key Vault

Also other potential candidates could be

  • GCP Secret Manager
  • Local secrets
  • Windows secret manager

I don't mind tackling an initial PR for this but wondering if additional discussion is required before jumping into code
@ejsmith
Copy link
Contributor

ejsmith commented Feb 29, 2024

Isn't that what the .NET config is for?

@ErikApption
Copy link
Author

with the .net config you can read local secrets and read values from key vault but it is not ideal for writing/saving secrets or ensuring that a value is in a secret storage and no way to manage any expiry of a secret. In these scenarios, you are forced to use the native APIs for key vault or equivalents.

@ejsmith
Copy link
Contributor

ejsmith commented Feb 29, 2024

So you are actually looking for secret management, not so much just getting secrets since .NET config has implementations for all of those secret services you've mentioned. Is that correct?

@ErikApption
Copy link
Author

correct - secret management

@ejsmith
Copy link
Contributor

ejsmith commented Feb 29, 2024

Ok, it's not something I have a lot of familiarity with. I've just typically imported secret config. If you want to give me an idea of what the abstraction would look like then we can discuss more. You would need to be willing to take ownership and submit a few implementations. Is that ok?

@ErikApption
Copy link
Author

You would need to be willing to take ownership and submit a few implementations. Is that ok?

absolutely :-) I don't think this should be very complicated. For one of our use cases, I'd really like to support local and windows secret management, so I'll need to do a bit more digging there to make sure that we can have a similar API to the Azure KV.

@niemyjski
Copy link
Member

I'm just curious in the scenarios you think this would be used. From my very limited experience, a team or policy would control or rotate keys / secrets and this wouldn't be done from an application.

@ErikApption
Copy link
Author

ErikApption commented Mar 4, 2024
edited

@niemyjski - we have plenty of use cases recently. Anything that has some dynamic infrastructure, esp if the app needs to manage any user secret (e.g. external storage account, database, etc.).

Ideally the static application settings should be managed by terraform/policy but everything that is provided by the user is better stored in a managed encrypted store. We have built apps that provisions user storage accounts and connect to user provided storage accounts - and these need a way for the application to access secure stores.

@niemyjski
Copy link
Member

https://github.com/sebastiean/volt https://twitter.com/davidfowl/status/1783732990251815165

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ejsmith @niemyjski @ErikApption