Merge pull request #91673 from BobbySchmidt2/use-key-vault-references-dotnet-core

ShawnJackson · web-flow · commit 2b7f93a03cd2 · 2019-10-22T21:49:30.000-05:00
edit pass: Use key vault references dotnet core
diff --git a/articles/azure-app-configuration/use-key-vault-references-dotnet-core.md b/articles/azure-app-configuration/use-key-vault-references-dotnet-core.md
@@ -20,77 +20,84 @@ ms.custom: mvc
 ---
 # Tutorial: Use Key Vault references in an ASP.NET Core app
 
-In this tutorial, you'll learn how to use the Azure App Configuration service together with Azure Key Vault. These are complementary services, which will be used side by side in most application deployments. To help you use them together, App Configuration allows you to create keys that reference values stored in Key Vault. When you do this, App Configuration stores the URI to the Key Vault value, rather than the value itself. Your application retrieves the value of this key using the App Configuration client provider, just like any other key stored in App Configuration. The client provider recognizes it as a Key Vault reference, and calls out to Key Vault to retrieve the value. Your application is responsible for authenticating properly to both App Configuration and Key Vault. The two services don't communicate directly.
+In this tutorial, you learn how to use the Azure App Configuration service together with Azure Key Vault. App Configuration and Key Vault are complementary services used side by side in most application deployments.
 
-This tutorial shows how you can implement Key Vault references in your code. It builds on the web app introduced in the quickstarts. Before you continue, finish [Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md) first.
+App Configuration helps you use the services together by creating keys that reference values stored in Key Vault. When App Configuration creates such keys, it stores the URIs of Key Vault values rather than the values themselves.
 
-You can use any code editor to do the steps in this tutorial. [Visual Studio Code](https://code.visualstudio.com/) is an excellent option that's available on the Windows, macOS, and Linux platforms.
+Your application uses the App Configuration client provider to retrieve Key Vault references, just as it does for any other keys stored in App Configuration. In this case, the values stored in App Configuration are URIs that reference the values in the Key Vault. They are not Key Vault values or credentials. Because the client provider recognizes the keys as Key Vault references, it uses Key Vault to retrieve their values.
+
+Your application is responsible for authenticating properly to both App Configuration and Key Vault. The two services don't communicate directly.
+
+This tutorial shows you how to implement Key Vault references in your code. It builds on the web app introduced in the quickstarts. Before you continue, finish [Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md) first.
+
+You can use any code editor to do the steps in this tutorial. For example, [Visual Studio Code](https://code.visualstudio.com/) is a cross-platform code editor that's available for the Windows, macOS, and Linux operating systems.
 
 In this tutorial, you learn how to:
 
 > [!div class="checklist"]
-> * Create an App Config key that references a value stored in Key Vault
-> * Access the value of this key from an ASP.NET Core web application
+> * Create an App Configuration key that references a value stored in Key Vault.
+> * Access the value of this key from an ASP.NET Core web application.
 
 ## Prerequisites
 
-To do this tutorial, install the [.NET Core SDK](https://dotnet.microsoft.com/download).
+Before you start this tutorial, install the [.NET Core SDK](https://dotnet.microsoft.com/download).
 
 [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
 
 ## Create a vault
 
-1. Select the **Create a resource** option on the upper left-hand corner of the Azure portal
+1. Select the **Create a resource** option in the upper-left corner of the Azure portal:
 
-    ![Output after Key Vault creation completes](./media/quickstarts/search-services.png)
-2. In the Search box, enter **Key Vault**.
-3. From the results list, choose **Key Vault**.
-4. On the Key Vault section, choose **Create**.
-5. On the **Create key vault** section provide the following information:
-    - **Name**: A unique name is required. For this quickstart, we use **Contoso-vault2**. 
-    - **Subscription**: Choose a subscription.
-    - Under **Resource Group**, choose **Create new** and enter a resource group name.
-    - In the **Location** pull-down menu, choose a location.
-    - Leave the other options to their defaults.
-6. After providing the information above, select **Create**.
+    ![Output after key vault creation is complete](./media/quickstarts/search-services.png)
+1. In the search box, enter **Key Vault**.
+1. From the results list, select **Key vaults** on the left.
+1. In **Key vaults**, select **Add**.
+1. On the right in **Create key vault**, provide the following information:
+    - Select **Subscription** to choose a subscription.
+    - In **Resource Group**, select **Create new** and enter a resource group name.
+    - In **Key vault name**, a unique name is required. For this tutorial, enter **Contoso-vault2**.
+    - In the **Region** drop-down list, choose a location.
+1. Leave the other **Create key vault** options with their default values.
+1. Select **Create**.
 
 At this point, your Azure account is the only one authorized to access this new vault.
 
-![Output after Key Vault creation completes](./media/quickstarts/vault-properties.png)
+![Output after key vault creation is complete](./media/quickstarts/vault-properties.png)
 
 ## Add a secret to Key Vault
 
-To add a secret to the vault, you just need to take a couple of additional steps. In this case, we add a message that we can use to test Key Vault retrieval. The message is called **Message** and we store the value of **Hello from Key Vault** in it.
+To add a secret to the vault, you need to take just a few additional steps. In this case, add a message that you can use to test Key Vault retrieval. The message is called **Message**, and you store the value "Hello from Key Vault" in it.
 
-1. On the Key Vault properties pages, select **Secrets**.
-1. Click on **Generate/Import**.
-1. On the **Create a secret** screen choose the following values:
-    - **Upload options**: Manual.
-    - **Name**: Message
-    - **Value**: Hello from Key Vault
-    - Leave the other values to their defaults. Click **Create**.
+1. From the Key Vault properties pages, select **Secrets**.
+1. Select **Generate/Import**.
+1. In the **Create a secret** pane, enter the following values:
+    - **Upload options**: Enter **Manual**.
+    - **Name**: Enter **Message**.
+    - **Value**: Enter **Hello from Key Vault**.
+1. Leave the other **Create a secret** properties with their default values.
+1. Select **Create**.
 
-## Add a Key Vault reference to App Config
+## Add a Key Vault reference to App Configuration
 
-1. Sign in to the [Azure portal](https://portal.azure.com). Select **All resources**, and select the app configuration store instance that you created in the quickstart.
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **All resources**, and then select the App Configuration store instance that you created in the quickstart.
 
-1. Click **Configuration Explorer**
+1. Select **Configuration Explorer**.
 
-1. Click **+ Create** > **Key vault reference** and choose the following values:
-    - **Key**: TestApp:Settings:KeyVaultMessage
-    - **Label**: Leave blank
-    - **Subscription**, **Resource group**, **Key vault**: Choose the options corresponding to the Key Vault that you created in the previous section.
-    - **Secret**: Select the secret called **Message** that you created in the previous section.
+1. Select **+ Create** > **Key vault reference**, and then specify the following values:
+    - **Key**: Select **TestApp:Settings:KeyVaultMessage**.
+    - **Label**: Leave this value blank.
+    - **Subscription**, **Resource group**, and **Key vault**: Enter the values corresponding to those in the key vault you created in the previous section.
+    - **Secret**: Select the secret named **Message** that you created in the previous section.
 
 ## Connect to Key Vault
 
-1. For this tutorial, you'll use a service principal for authentication to KeyVault. To create this service principal, use the Azure CLI [az ad sp create-for-rbac](/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac) command:
+1. In this tutorial, you use a service principal for authentication to Key Vault. To create this service principal, use the Azure CLI [az ad sp create-for-rbac](/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac) command:
 
     ```azurecli
     az ad sp create-for-rbac -n "http://mySP" --sdk-auth
     ```
 
-    This operation will return a series of key / value pairs. 
+    This operation returns a series of key/value pairs:
 
     ```console
     {
@@ -107,28 +114,32 @@ To add a secret to the vault, you just need to take a couple of additional steps
     }
     ```
 
-1. Run the following command to allow the service principal to access your key vault:
+1. Run the following command to let the service principal access your key vault:
 
-        az keyvault set-policy -n <your-unique-keyvault-name> --spn <clientId-of-your-service-principal> --secret-permissions delete get list set --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey
+    ```
+    az keyvault set-policy -n <your-unique-keyvault-name> --spn <clientId-of-your-service-principal> --secret-permissions delete get list set --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey
+    ```
 
-1. Add secrets for *clientId* and *clientSecret* to Secrets Manager. These commands must be executed in the same directory as the *.csproj* file.
+1. In the following commands, add secrets in place of *clientId* and *clientSecret* to Secrets Manager. The commands must be run in the same directory as the *.csproj* file.
 
-        dotnet user-secrets set ConnectionStrings:KeyVaultClientId <clientId-of-your-service-principal>        
-        dotnet user-secrets set ConnectionStrings:KeyVaultClientSecret <clientSecret-of-your-service-principal>
+    ```
+    dotnet user-secrets set ConnectionStrings:KeyVaultClientId <clientId-of-your-service-principal>
+    dotnet user-secrets set ConnectionStrings:KeyVaultClientSecret <clientSecret-of-your-service-principal>
+    ```
 
 > [!NOTE]
 > These Key Vault credentials are used only within your application. Your application authenticates directly to Key Vault with these credentials. They are never passed to the App Configuration service.
 
 ## Update your code to use a Key Vault reference
 
-1. Open *Program.cs*, and add references to required packages.
+1. Open *Program.cs*, and add references to the following required packages:
 
     ```csharp
     using Microsoft.Azure.KeyVault;
     using Microsoft.IdentityModel.Clients.ActiveDirectory;
     ```
 
-1. Update the `CreateWebHostBuilder` method to use App Configuration by calling the `config.AddAzureAppConfiguration()` method. Include the `UseAzureKeyVault` option, passing in a new `KeyVaultClient` reference to your Key Vault.
+1. Update the `CreateWebHostBuilder` method to use App Configuration by calling the `config.AddAzureAppConfiguration` method. Include the `UseAzureKeyVault` option to pass in a new `KeyVaultClient` reference to your Key Vault.
 
     ```csharp
     public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
@@ -151,7 +162,9 @@ To add a secret to the vault, you just need to take a couple of additional steps
             .UseStartup<Startup>();
     ```
 
-1. Once you've passed the *KeyVaultClient* reference to the `UseAzureKeyVault` method when initializing the connection to App Config, you can access the values of Key Vault references in the same way you access the values of regular App Config keys. To see this process in action, open *Index.cshtml* in the Views > Home directory. Replace its content with the following code:
+1. When you initialized the connection to App Configuration, you passed the `KeyVaultClient` reference to the `UseAzureKeyVault` method. After the initialization, you can access the values of Key Vault references in the same way you access the values of regular App Configuration keys.
+
+    To see this process in action, open *Index.cshtml* in the **Views** > **Home** folder. Replace its contents with the following code:
 
     ```html
     @using Microsoft.Extensions.Configuration
@@ -171,30 +184,33 @@ To add a secret to the vault, you just need to take a couple of additional steps
         and @Configuration["TestApp:Settings:KeyVaultMessage"]</h1>
     ```
 
-    You access the value of the Key Vault reference *TestApp:Settings:KeyVaultMessage* in the same way as the configuration value *TestApp:Settings:Message*
+    You access the value of the Key Vault reference **TestApp:Settings:KeyVaultMessage** in the same way as for the configuration value of **TestApp:Settings:Message**.
 
 ## Build and run the app locally
 
 1. To build the app by using the .NET Core CLI, run the following command in the command shell:
 
-        dotnet build
-
-2. After the build successfully completes, run the following command to run the web app locally:
+    ```
+    dotnet build
+    ```
 
-        dotnet run
+1. After the build is complete, use the following command to run the web app locally:
 
-3. Open a browser window, and go to `http://localhost:5000`, which is the default URL for the web app hosted locally.
+    ```
+    dotnet run
+    ```
 
-    ![Quickstart app launch local](./media/key-vault-reference-launch-local.png)
+1. Open a browser window, and go to `http://localhost:5000`, which is the default URL for the web app hosted locally.
 
+    ![Quickstart local app launch](./media/key-vault-reference-launch-local.png)
 
 ## Clean up resources
 
 [!INCLUDE [azure-app-configuration-cleanup](../../includes/azure-app-configuration-cleanup.md)]
 
 ## Next steps
 
-In this tutorial, you added an Azure managed service identity to streamline access to App Configuration and improve credential management for your app. To learn more about how to use App Configuration, continue to the Azure CLI samples.
+In this tutorial, you created an App Configuration key that references a value stored in Key Vault. To learn how to add an Azure-managed service identity that streamlines access to App Configuration and Key Vault, continue to the next tutorial.
 
 > [!div class="nextstepaction"]
-> [CLI samples](./cli-samples.md)
+> [Managed identity integration](./howto-integrate-azure-managed-service-identity.md)
