The latest articles on DEV Community by Erik-Jan Westendorp (@erikjanwestendorp). https://dev.to/erikjanwestendorp https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F733628%2Fb5c1a9c8-09fd-45fa-8172-ab196e6e8f76.jpeg https://dev.to/erikjanwestendorp en Erik-Jan Westendorp Wed, 19 Mar 2025 08:58:39 +0000 https://dev.to/erikjanwestendorp/handling-azure-key-vault-secret-naming-with-umbraco-uibuilder-license-configuration-ega https://dev.to/erikjanwestendorp/handling-azure-key-vault-secret-naming-with-umbraco-uibuilder-license-configuration-ega <h2> The Issue: Key Vault Naming Constraints </h2> <p>When configuring the Umbraco UIBuilder license using Azure Key Vault, you might encounter a frustrating issue: Key Vault secret names cannot contain dots ("."), while Umbraco UIBuilder uses dots to structure its configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"Umbraco"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Licenses"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Products"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Umbraco.UIBuilder"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_LICENSE_KEY"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>However, Azure Key Vault enforces strict naming rules, allowing only <strong>alphanumeric</strong> characters and <strong>dashes</strong> ("-") in secret names. Additionally, the <code>Azure.Extensions.AspNetCore.Configuration.Secrets</code> package automatically converts double dashes (--) to colons (:), making it even trickier when trying to map hierarchical configurations.</p> <h2> Why is this a problem? </h2> <p>Since the Umbraco UIBuilder package uses dot-separated keys in its configuration, using <code>Umbraco.UIBuilder</code> as a secret name isn't possible in Key Vault. Instead, we need a way to transform secret names from Key Vault into a structure that fits the expected configuration format for Umbraco UIBuilder.</p> <h2> The Solution: Implementing a Custom KeyVaultSecretManager </h2> <p>To resolve this issue, we can implement a custom KeyVaultSecretManager to control how secret names are mapped from Azure Key Vault to the expected configuration structure.</p> <p><strong>Step 1:</strong> Store the Secret in Key Vault<br> Since dots are not allowed, we store the secret in Key Vault using a different naming convention, for example:</p> <p>Instead of <code>Umbraco--Licenses--Products--Umbraco.UIBuilder</code>, store it as:<br> <code>Umbraco--Licenses--Products--Umbraco-UIBuilder</code> (using a single dash - instead of a dot .).</p> <p><strong>Step 2:</strong> Create a Custom KeyVaultSecretManager<br> Now, we need to create a custom <code>KeyVaultSecretManager</code> that replaces dashes (-) with dots (.) when reading the Umbraco UIBuilder secret from Azure Key Vault.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Azure.Extensions.AspNetCore.Configuration.Secrets</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Azure.Security.KeyVault.Secrets</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">My.Namespace</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">CustomSecretManager</span> <span class="p">:</span> <span class="n">KeyVaultSecretManager</span> <span class="p">{</span> <span class="k">public</span> <span class="k">override</span> <span class="kt">string</span> <span class="nf">GetKey</span><span class="p">(</span><span class="n">KeyVaultSecret</span> <span class="n">secret</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">key</span> <span class="p">=</span> <span class="k">base</span><span class="p">.</span><span class="nf">GetKey</span><span class="p">(</span><span class="n">secret</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">key</span><span class="p">.</span><span class="nf">Equals</span><span class="p">(</span><span class="s">"Umbraco:Licenses:Products:Umbraco-UIBuilder"</span><span class="p">,</span> <span class="n">StringComparison</span><span class="p">.</span><span class="n">OrdinalIgnoreCase</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="n">key</span><span class="p">.</span><span class="nf">Replace</span><span class="p">(</span><span class="s">"-"</span><span class="p">,</span> <span class="s">"."</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">key</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Step 3:</strong> Register the Custom KeyVaultSecretManager<br> To integrate Key Vault with your Umbraco application, follow the official <a href="https://docs.umbraco.com/umbraco-cms/extending/key-vault" rel="noopener noreferrer">Umbraco documentation</a>. However, you’ll need to modify the <code>ConfigureKeyVault</code> method to use the <code>CustomKeyVaultSecretManager</code> instead of the default configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Azure.Identity</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Azure.Security.KeyVault.Secrets</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Azure.Extensions.AspNetCore.Configuration.Secrets</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Extensions.Configuration</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">My.Namespace</span><span class="p">;</span> <span class="k">public</span> <span class="k">static</span> <span class="k">class</span> <span class="nc">WebApplicationBuilderExtensions</span> <span class="p">{</span> <span class="k">public</span> <span class="k">static</span> <span class="n">WebApplicationBuilder</span> <span class="nf">ConfigureKeyVault</span><span class="p">(</span><span class="k">this</span> <span class="n">WebApplicationBuilder</span> <span class="n">builder</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">keyVaultEndpoint</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">[</span><span class="s">"AzureKeyVaultEndpoint"</span><span class="p">];</span> <span class="k">if</span> <span class="p">(!</span><span class="kt">string</span><span class="p">.</span><span class="nf">IsNullOrWhiteSpace</span><span class="p">(</span><span class="n">keyVaultEndpoint</span><span class="p">)</span> <span class="p">&amp;&amp;</span> <span class="n">Uri</span><span class="p">.</span><span class="nf">TryCreate</span><span class="p">(</span><span class="n">keyVaultEndpoint</span><span class="p">,</span> <span class="n">UriKind</span><span class="p">.</span><span class="n">Absolute</span><span class="p">,</span> <span class="k">out</span> <span class="kt">var</span> <span class="n">validUri</span><span class="p">))</span> <span class="p">{</span> <span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">.</span><span class="nf">AddAzureKeyVault</span><span class="p">(</span> <span class="k">new</span> <span class="nf">SecretClient</span><span class="p">(</span><span class="n">validUri</span><span class="p">,</span> <span class="k">new</span> <span class="nf">DefaultAzureCredential</span><span class="p">()),</span> <span class="k">new</span> <span class="nf">CustomKeyVaultSecretManager</span><span class="p">()</span> <span class="c1">// Use the custom manager</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">builder</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This workaround allows us to stay aligned with Umbraco's recommended approach while bypassing Key Vault's naming restrictions, ensuring Umbraco UIBuilder can still retrieve its configuration correctly</p> umbraco uibuilder keyvault configuration