{"id":50893,"date":"2024-03-14T10:05:00","date_gmt":"2024-03-14T17:05:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/dotnet\/?p=50893"},"modified":"2024-03-14T10:05:00","modified_gmt":"2024-03-14T17:05:00","slug":"generate-dotnet-secrets-automatically-from-azure-deployment","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/generate-dotnet-secrets-automatically-from-azure-deployment\/","title":{"rendered":"Generate Local .NET Secrets from Azure Deployments"},"content":{"rendered":"

Often sample projects starts with a few “magic strings”, those variables contains URLs and key information related to a deployment or external resources that we will have to change to use the sample. As an example in .NET it could look like this: <\/p>\n

string openAIEndpoint = \"https:\/\/\";\nstring openAIDeploymentName = \"my-ai-model\";\nstring openAiKey = \"123456abcd789EFGH\";\n\/\/ ...<\/code><\/pre>\n
This post shows how you to automatically generate .NET secrets from the Azure deployment and how your .NET app can read them. Users who would like to try your sample won’t have to edit anything anymore! They will only have to deploy using azd up<\/code>, and then dotnet run<\/code> to execute the app. Sound interesting? Here are to implement it. <\/p>\n
\n
The code for the entire project can be found on GitHub, in the fboucher\/hikerai<\/a>.<\/p>\n<\/blockquote>\n
The Preparation<\/h2>\n
Bicep is a language for creating infrastructure definitions for Azure resources that you want to deploy. Since these resources will have information like endpoints or model names, we want a way to export those, and in Bicep we use the output<\/code> syntax:<\/p>\n
\/\/ some bicep deployment...\n\noutput AZURE_OPENAI_ENDPOINT string = ai.outputs.AZURE_OPENAI_ENDPOINT\noutput AZURE_OPENAI_GPT_NAME string = ai.outputs.AZURE_OPENAI_GPT_NAME\noutput AZURE_OPENAI_KEY string = ai.outputs.AZURE_OPENAI_KEY<\/code><\/pre>\n
With the Azure Developer CLI (azd) the command azd env get-values<\/code> returns all those values in list of key-paired values. A PowerShell or Bash script could read those and create new .NET secrets using the command dotnet user-secrets set<\/code>. Here the script postprovision.ps1<\/code>.<\/p>\n
function Set-DotnetUserSecrets {\n    param ($path, $lines)\n    Push-Location\n    cd $path\n    dotnet user-secrets init\n    dotnet user-secrets clear\n    foreach ($line in $lines) {\n        $name, $value = $line -split '='\n        $value = $value -replace '\"', ''\n        $name = $name -replace '__', ':'\n        if ($value -ne '') {\n            dotnet user-secrets set $name $value | Out-Null\n        }\n    }\n    Pop-Location\n}\n\n$lines = (azd env get-values) -split \"`n\"\nSet-DotnetUserSecrets -path \".\" -lines $lines<\/code><\/pre>\n
This script start by creating a function Set-DotnetUserSecrets<\/code> that takes two parameters. The first parameter $path<\/code> will be used so the script can change directory to that location. This is essential to make sure the secrets are created where needed. The second parameter $lines<\/code> contains all the substring where key-paired values are saved (ex: VARIABLE_NAME=”variable_value”). The script loops through all lines to isolate the names and the values and create a secret for each of them dotnet user-secrets set $name $value<\/code>.<\/p>\n
On the two last lines, the script retrieves the environment variable generated by the outputs using azd env get-values<\/code> and split the result in substring. It will finally call the function Set-DotnetUserSecrets<\/code> declared previously passing the the path and lines. A postprovision.sh<\/code> version of the script is also available in the repository.<\/p>\n
To execute the script after the deployment we need to add a post provision hook into the azure.yaml<\/code> file. The azure.yaml<\/code> is the schema that defines and describes the apps and types of Azure resources that are included in a project. Here how it looks.<\/p>\n
hooks:\n  postprovision:\n    windows:\n      shell: pwsh\n      run: .\/infra\/post-script\/postprovision.ps1\n      interactive: true\n      continueOnError: true<\/code><\/pre>\n
The deployment<\/h2>\n
Execute your deployment using Azure CLI Developer CLI command azd up<\/code>. You can use the code of HikerAI available at fboucher\/hikerai<\/a>. Once you clone or download the repository, make sure you are at the root directory, to deploy the solution.<\/p>\n
To test that the secrets have been created used the command dotnet user-secrets list<\/code>.<\/p>\n
\"result<\/p>\n
Use the Secrets<\/h2>\n
Using the NuGet package Microsoft.Extensions.Configuration<\/code>, the application will be able to read the user secrets. You can now replace those magic strings.<\/p>\n
\/\/ == Retrieve the local secrets saved during the Azure deployment ==========\nusing Microsoft.Extensions.Configuration;\n\nvar config = new ConfigurationBuilder().AddUserSecrets<Program>().Build();\nstring openAIEndpoint = config[\"AZURE_OPENAI_ENDPOINT\"];\nstring openAIDeploymentName = config[\"AZURE_OPENAI_GPT_NAME\"];\nstring openAiKey = config[\"AZURE_OPENAI_KEY\"];<\/code><\/pre>\n
Video<\/h2>\n