Using the AzureKeyVault created by azd up

[nalper-omnesoft]

In my Aspire app host, I’m setting up a PostgreSQL database and passing it as a reference to my API project. When I ran azd up, the Azure Dev CLI provisioned an Azure Key Vault, stored a connection string in the Key Vault, and set up the API project with the secret injected into it.

I am consuming a service that requires an API key, and I’d like to use the same Key Vault to securely store and access this key. How can I configure the Key Vault to include the API key and have it available to the API project? I tried adding it manually in the container app for the api project but it got removed the next time I ran

azd provision --no-prompt 
azd deploy --no-prompt. 

Is there a way to reference the secret directly from the Key Vault that was provisioned by azd?

var pgDataBase = builder
    .AddAzurePostgresFlexibleServer(postgresName)
    .RunAsContainer(pgBuilder =>
    {
        pgBuilder
            .WithImage("postgres", "16.4") // NB: must match version specified in our Testcontainers setups
            .WithEnvironment("POSTGRES_DB", dbName)
            .WithPgWeb();
    })
    .WithPasswordAuthentication()
    .AddDatabase(dbName);

var apiProject= builder
    .AddProject<Api_Server>(apiProjectName)
    .WithReference(pgDataBase)
    .WaitFor(pgDataBase);

[davidfowl]

I am consuming a service that requires an API key, and I’d like to use the same Key Vault to securely store and access this key

No there's no clean way to use the same key vault. You can think of those generated key vaults as implementation details created per resource when we need to output secrets. In the long run they will go away and be replaced by a native ARM feature that allows us to output secrets without leaking them in logs.

Here's the issue that tracks the feature you are asking for #4061.

If you were willing to dig into the implementation details a bit more, you could probably mutate the underlying bicep via https://learn.microsoft.com/en-us/dotnet/aspire/azure/integrations-overview?tabs=dotnet-cli#azureprovisioning-customization (btw I recommend reading the azure overview, it's much more fleshed out).

How can I configure the Key Vault to include the API key and have it available to the API project? I tried adding it manually in the container app for the api project but it got removed the next time I ran.

The path of least resistance is to use secret parameters for API keys. This will prompt for the secret at deployment time and set it as a secret in azure container apps.

var apiKey = builder.AddParameter("apiKey", secret: true);

var pgDataBase = builder
    .AddAzurePostgresFlexibleServer(postgresName)
    .RunAsContainer(pgBuilder =>
    {
        pgBuilder
            .WithImage("postgres", "16.4") // NB: must match version specified in our Testcontainers setups
            .WithEnvironment("POSTGRES_DB", dbName)
            .WithPgWeb();
    })
    .WithPasswordAuthentication()
    .AddDatabase(dbName);

var apiProject= builder
    .AddProject<Api_Server>(apiProjectName)
    .WithReference(pgDataBase)
    .WithReference(apiKey)
    .WaitFor(pgDataBase);

Look out for this issue evolving to track your scenario #2587.

The low-level primitives exist to create and reference key vault secrets, but it would require some knowledge of bicep and aspire primitives to do so.

[nalper-omnesoft]

Thank you so much for getting back to me. I had tried the approach of

var apiKey = builder.AddParameter("apiKey, secret: true);

However my app is deployed by github actions and the build failed. Is there a way to use that with CI/CD?

[davidfowl]

There's a one-time step you can run with azd to prompt and set some initial configuration in your github or azure dev ops pipeline https://learn.microsoft.com/en-us/dotnet/aspire/deployment/azure/aca-deployment-github-actions