Storing api-keys in appsettings.json

Vote:
 

I am integrating ImageShop (DAM) into my Optimizely project and need to have my configuration setup in appsettings.json like this: 

"ImageshopOptimizelyPlugin": {
    "Settings": {
        "token": "<api key>"
    }
}

We are currently storing API-keys in DXP's app secrets, but in this case it needs to be added to appsettings.json. The documentation does not provide any way of substituting secrets with variables (something you can do with Azure Key Vault). How can I add the key into appsettings while also concealing its value?

#308756
Sep 20, 2023 9:00
Vote:
 

can you share the document for setting up ImageShop? there might be away to override ...

#308760
Sep 20, 2023 9:42
Laurent - Sep 20, 2023 10:23
Thank you for responding Quan. Here is the documentation: https://nugetprodusnc-northcentralus-01.regional.azure-api.net/packages/Imageshop.Optimizely.Plugin
Vote:
 

Hi Laurent,

I believe the way to do this is very similar to how key vault references are added in azure portal.

If you have access to a DXP environment in azure if you look at the connectionstrings you will will notice they have a key vault reference.

What you can do is get in touch with Opti support to request adding your values to key vault.

Once they do this you should receive the references and then add those to your appsettings.

Paul

#308761
Sep 20, 2023 9:47
Vote:
 

Hi 

I'm not sure if I understand your question correctly 

If you need to manage sensitive data for local development, you can use asp.net core security manager 

https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-7.0&tabs=windows

The key you set in secret manager will need to be same as the key you stored in DXP appsetting in PaaS portal, so when you app gets deployed to DXP, it will automatically use the value stored in DXP appsetting

There is one caveat from what I recall that the DXP appsetting does not support nested level configuration setup. In other words, the way you stored your API key in the json won't work.You need to move your secret (token) to the root level within the AppSettings.json.

I hope above helps.

#308769
Sep 20, 2023 12:57
Vote:
 

The addon in question has code that reads from appsettings.json directly, it's not in OP's control 

#308771
Sep 20, 2023 13:26
Vote:
 

@Laurent - I think the approriate long term action here is to raise the issue with ImageShop so they update their class to allow reading from keyvault 

#308772
Sep 20, 2023 13:27
Laurent - Sep 20, 2023 13:31
Will do! I know that many Optimizely solutions use ImageShop. I wonder if they just paste their keys directly in appsettings and commit it, or if they've figured out a better of doing this all together
Laurent - Sep 20, 2023 13:32
I'll update this thread if ImageShop responds with a solution
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.