azure-sdk-for-net
azure-sdk-for-net copied to clipboard
Azure
[FEATURE REQ] New ProtectKeysWithAzureKeyVault Extension Method
Library name
Azure.Extensions.AspNetCore.DataProtection.Keys
Please describe the feature.
Requiring an extensions method to configure the keyIdentifier via ServiceProvider. I inject the key identifier into DI and require a way to retrieve it in order to setup ProtectKeysWithAzureKeyVault
ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, Func<IServiceProvider, string> keyIdentifierFactory, Func<IServiceProvider, TokenCredential> tokenCredentialFactory)
https://github.com/Azure/azure-sdk-for-net/blob/8a3d98d860ab9586f6062a5d7f06b48ba876d6f6/sdk/extensions/Azure.Extensions.AspNetCore.DataProtection.Keys/src/AzureDataProtectionKeyVaultKeyBuilderExtensions.cs#L30
Hi @nquandt. Thank you for reaching out and for your suggestion. Can you help us understand the end-to-end scenario?
Since DI and data projection registrations both operate on the same IServicesCollection they typically are done in the same scope. I'm not sure that I follow why would you need to register the identifier and then retrieve it at some indeterminate point in the future rather than providing it to both data protection and DI when registering. Likewise, why would you need to defer creating the credential?
Hi @nquandt. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I get my identifier from a config map in kubernetes.. and currently the way I load that setting into my app is via an "Options" object in my DI container. I currently have a work around where I BuildServiceProvider() before I do the DataProtection setup, but this seems weird.
Thank you for the additional context, @nquandt. Forgive me, but I'm not sure that I'm following the flow of what that looks like. Would you be able to share a code snippet showing how you're initializing DI and registering data protection?
Hi @nquandt. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
Hi @nquandt, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!
Sorry I've been slow to respond.
I have an object injected into my DI container that holds my key vault information. (this gets injected based on some environment variables set in a kube deploy)..
So basically I am just looking for a simple way of setting the keyIdentifier based on data in the di container.
services.AddDataProtection()
.ProtectKeysWithAzureKeyVault((sp) => $"{sp.GetRequiredService<MyKVOptions>().Url}/keys/dataprotection/",
(sp) => {
var kvOptions = sp.GetRequiredService<MyKVOptions>();
return new ClientSecretCredential(kvOptions.TenantId, kvOptions.ClientId, kvOptions.ClientSecret);
});
Also some extra context, I use AzureKeyVault in other ways throughout my application, just not for DataProtection.. so thats why I have that object with my settings I can pass around to other services.
@JoshLove-msft : Please include this in the discussion of the use of factories in our extensions packages. Thanks!
@AlexanderSher: Since you're looking into Extension package feature requests, please include this one as well.
Evaluating whether this can be addressed as part of https://github.com/Azure/azure-sdk-for-net/issues/46671
Thanks to the PR submitted by @MattKotsenas (#49681), we were able to reopen discussions with the Azure SDK architecture board and secure an exemption from the guidelines that disallow lambda use in public APIs for this scenario. We expect this feature to be released in early May as part of the Azure SDK monthly release cycle.