Instead of putting secret environment variables in the appsetting.json file, the dotnet CLI has functionality to add secrets to a project, without keeping them in the project folder.
This will decrease the risk of leaking the secrets, for example by adding them to a commit by mistake.
This link leads to Microsoft's own documentation.
The cheatsheet
dotnet user-secrets --help # See available commands
dotnet user-secrets init # Initiate secrets
dotnet user-secrets set "MY_API_KEY" "xyz" # Set a secret
dotnet user-secrets set "SOME_API.MY_API_KEY" "xyz" # Set a nested secret
cat secrets.json | dotnet user-secrets set # Set all secrets in a json file
dotnet user-secrets list # List the secrets
dotnet user-secrets clear # Delete all secrets in the project
The walkthrough
Initiating
The dotnet user-secrets init command enables storage of secrets. It adds a line with a GUID in the .csproj file. This GUID is used to identify which secrets belong to which project. The command only needs to be run once for every project, if you are sharing your code with other people, they don't need to rerun it.
<UserSecretsId>71ad533a-ed09-4780-9037-a5aafb01958b</UserSecretsId>
The command also creates a folder in ~/.microsoft/usersecrets (on a Mac), with a file contaning the secrets in json format.
~/.microsoft/usersecrets
|
└───71ad533a-ed09-4780-9037-a5aafb01958b
│ └──secrets.json
|
└───<some-other-GUID>
└──secrets.json
The secrets are saved in plain text in this json file.
Setting secrets
dotnet user-secrets set "MY_API_KEY" "xyz"
dotnet user-secrets set "SOME_API.MY_API_KEY" "xyz"
The commands above are self explanatory and the resulting secrets.json file will look like this:
{
"MY_API_KEY": "xyz",
"SOME_API.MY_API_KEY": "xyz"
}
If you are given secrets in the same format as above, these can be imported all at once with the command:
$ cat secrets.json | dotnet user-secrets set
Successfully saved 2 secrets to the secret store.
Top comments (3)
So how is this different from just creating a plaintext file and putting it inside some specialized folder?
What makes it more secure?
Since the secrets are not in the project directory anymore, it's more difficult to accidently share them. Zipping the project will, for example, no longer contain the secrets. Accidently adding them to a commit will be very difficult as well.
However, the secrets are still in plain text, but it's a standard way of "putting it inside some specialized folder" :)
I'm wondering if there's a way to store it in the TMP 2.0 module