none
How to keep password secure with Publish Profile? RRS feed

  • Question

  • Hi! When i publish my ASP.NET Core application to Azure, i have to set connection string under "Apply this migration on publish". And i see that this connection string is kept in file ProjectName - Web Deploy.pubxml.user non-encrypted:

    <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
      <PropertyGroup>
    <EncryptedPassword>AQAAANCMnd8BFdERjH ... MsEA4lyWyC</EncryptedPassword>
      </PropertyGroup>
      <ItemGroup>
        <EFMigrations Include="ProjectName.Data.ApplicationDbContext">
          <Value>Server=servername.database.windows.net%3bDatabase=db_name%3bUser Id=user_id%3bPassword=password</Value>
        </EFMigrations>
      </ItemGroup>
    </Project>

    Password for publishing is encrypted. Connection string for applying migration is non-encrypted. How to resolve this? Maybe, i make some mistake?

    File ProjectName - Web Deploy.pubxml.user is excluded from GIT (has to be because of extension), but it is not normal to keep password of production database in a plain view.


    • Edited by acbaile Thursday, October 3, 2019 12:39 AM
    Wednesday, October 2, 2019 1:17 PM

Answers

  • All of this is too difficult to realize. It looks like CI/CD in Azure is in raw state yet. I have to wait until it will be ready to use.
    • Marked as answer by acbaile 8 hours 42 minutes ago
    8 hours 42 minutes ago

All replies

  • I would recommend setting up a build at azure dev ops to build your app.  You can then set up a release to push the build to azure.   This way you donot need to store password in visual studio for this.   Doing the release with a build also prevents you from accidently pushing something to azure you have not checked in yet.
    Thursday, October 3, 2019 9:05 AM
  • Hi friend,

    Welcome to MSDN forum.

    >>Password for publishing is encrypted. Connection string for applying migration is non-encrypted. How to resolve this? Maybe, i make some mistake?

    There's a free Azure Devops extension which may meet your needs, please check Replace tokens. For details about how to use it, you can refer to this document. I think this can help protect your password during publish, hope it makes some sense.

    Any feedback would be expected.

    Best Regards

    Lance


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, October 3, 2019 9:55 AM
  • How migration will be applied to production database?
    Thursday, October 31, 2019 8:24 AM
  • How to apply values of #{Variables}# in development build?
    Thursday, October 31, 2019 8:45 AM
  • Hi friend, 

    Thank you for the feedback.

    As @Ken Tucker said, you can push your project from Visual Studio into Azure Devops firstly by follow this doc: https://docs.microsoft.com/en-us/azure/devops/repos/git/share-your-code-in-git-vs-2017?view=azure-devops

    In azure devops, you can build and then create a release pipeline to publish you project into Azure. In release pipeline, you can use Azure SQL Database deployment task to achieve your production database migration.

    There has parameter in that task can for you apply your publish profile during this migration.

    As what you concerned is the key value security, here, please add one task Replace Token before the Azure SQL Database deployment task. Then follow the task description: https://marketplace.visualstudio.com/items?itemName=qetza.replacetokens to configure your publish profile. For detailed steps, you can refer to this thread: https://stackoverflow.com/questions/57877200/how-can-i-pass-a-variable-group-in-jmeter-using-azure-pipeline/57887868#57887868 .

    When you use this approach, you can store your security key into Variables tab with a secret format, or store it into Azure key vault then call it in Azure Devops pipeline. During its build time, the key value only exists in the artifacts and will not truly replace the source file. So, you don’t need worry about the security.

    Hope all above could help you.

    Best Regards,

    Lance



    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, November 1, 2019 8:39 AM

  • Hope all above could help you.


    Not complete. I see, that I have to replace my values with special tokens #{}# in appsettings.json. I understood how they will be replaced for release build when deploying. But how to replace them during development? I need to test changes before release. For this purpose I have development values in appsettings.json, different from production ones. So, how to make testing on local machine if appsettings.json contains tokens #{}# ?
    Saturday, November 9, 2019 9:42 PM

  • But how to replace them during development?
    Answer to myself. Has to be, with appsettings.Development.jsonappsettings.Production.json.
    • Edited by acbaile Wednesday, November 13, 2019 2:57 AM
    Wednesday, November 13, 2019 2:57 AM
  • All of this is too difficult to realize. It looks like CI/CD in Azure is in raw state yet. I have to wait until it will be ready to use.
    • Marked as answer by acbaile 8 hours 42 minutes ago
    8 hours 42 minutes ago