Hardcoding secrets in source code is an easy habit to fall into, but a painful one to pay for. Azure Key Vault gives you a central, access-controlled place to store keys, connection strings, and credentials — keeping them out of your repo entirely.
Integrating Key Vault into a modern .NET project is straightforward, but legacy .NET Framework projects require a few extra steps. If upgrading to .NET 5+ is not on the table yet, you can still get full Key Vault support by targeting .NET Framework 4.7.2 or later.
Note: this approach applies only to projects stuck below .NET 5. Newer frameworks have first-class Key Vault integration via the Azure.Extensions.AspNetCore.Configuration.Secrets package, which is simpler to set up.
Here is how to wire it up:
- Set your project's target framework to
.NET Framework 4.7.2or higher. - Install the
Microsoft.Configuration.ConfigurationBuilders.AzureNuGet package. - Register the Key Vault builder in
App.config, replacingYOUR-VAULT-NAMEwith your vault's name:<configBuilders> <builders> <add name="AzureKeyVault" vaultName="YOUR-VAULT-NAME" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure" /> </builders> </configBuilders> - Apply the builder to your
<appSettings>and/or<connectionStrings>block, and replace the real values with placeholders — they will be injected at runtime:<appSettings configBuilders="AzureKeyVault"> <add key="MyApiKey" value="placeholder" /> </appSettings> - Create the Key Vault in Azure and add your secrets. Secret names must match the config keys exactly. Assign an access policy (or RBAC role) so your application identity and any developers who need to run the app locally can read secrets.
Once in place, the configuration builder fetches secrets transparently on startup — no code changes required beyond the config file. It is a low-friction way to get secrets out of source control without overhauling a legacy codebase.