Foundatio icon indicating copy to clipboard operation
Foundatio copied to clipboard
verified publisher icon FoundatioFx

Feature suggestion: Foundatio component for key vaults

Open ErikApption opened this issue 1 year ago • 9 comments

Would love to have an abstraction layer around azure key vault and provide a wrapper to avoid directly referencing Azure Key Vault, esp since this is a critical component in almost every project. I think a Foundatio component support at least:

  • AWS Secret Manager
  • Azure Key Vault

Also other potential candidates could be

  • GCP Secret Manager
  • Local secrets
  • Windows secret manager

I don't mind tackling an initial PR for this but wondering if additional discussion is required before jumping into code

ErikApption avatar Feb 28 '24 15:02 ErikApption

Isn't that what the .NET config is for?

ejsmith avatar Feb 29 '24 13:02 ejsmith

with the .net config you can read local secrets and read values from key vault but it is not ideal for writing/saving secrets or ensuring that a value is in a secret storage and no way to manage any expiry of a secret. In these scenarios, you are forced to use the native APIs for key vault or equivalents.

ErikApption avatar Feb 29 '24 15:02 ErikApption

So you are actually looking for secret management, not so much just getting secrets since .NET config has implementations for all of those secret services you've mentioned. Is that correct?

ejsmith avatar Feb 29 '24 15:02 ejsmith

correct - secret management

ErikApption avatar Feb 29 '24 15:02 ErikApption

Ok, it's not something I have a lot of familiarity with. I've just typically imported secret config. If you want to give me an idea of what the abstraction would look like then we can discuss more. You would need to be willing to take ownership and submit a few implementations. Is that ok?

ejsmith avatar Feb 29 '24 15:02 ejsmith

You would need to be willing to take ownership and submit a few implementations. Is that ok?

absolutely :-) I don't think this should be very complicated. For one of our use cases, I'd really like to support local and windows secret management, so I'll need to do a bit more digging there to make sure that we can have a similar API to the Azure KV.

ErikApption avatar Feb 29 '24 15:02 ErikApption

I'm just curious in the scenarios you think this would be used. From my very limited experience, a team or policy would control or rotate keys / secrets and this wouldn't be done from an application.

niemyjski avatar Mar 01 '24 02:03 niemyjski

@niemyjski - we have plenty of use cases recently. Anything that has some dynamic infrastructure, esp if the app needs to manage any user secret (e.g. external storage account, database, etc.).

Ideally the static application settings should be managed by terraform/policy but everything that is provided by the user is better stored in a managed encrypted store. We have built apps that provisions user storage accounts and connect to user provided storage accounts - and these need a way for the application to access secure stores.

ErikApption avatar Mar 04 '24 21:03 ErikApption

https://github.com/sebastiean/volt https://twitter.com/davidfowl/status/1783732990251815165

niemyjski avatar Apr 26 '24 13:04 niemyjski