Storing connection strings (really, the passwords and logins) and things like the JWT secret key should be set in something other than the c# code or the appsettings.
There are two main recommendations.
1. the most secure is to use something like azure keyvault and then access it at runtime (additional setup required of course such as setting up certs on the machine)
2. Use environment variables.
Environment variables are super easy to set in containers. In IIS on a windows server, it is something that takes more effort as you have to connect into the server. Also, it allows any process to see the environment variable. IIS supports setting the environment variables in the web.config file on a per application basis, which seems real nice. see: https://stackoverflow.com/questions/31049152/publish-to-iis-setting-environment-variable
Powerserver tends to want to overwrite the web.config (you can turn that off). Apparently, there is a similar file that could be set instead of web.config which should work around this problem.
The other thing is the storage of login/password in a database table for dynamic database connections. Does powerserver support getting that from an environment variable instead? Each database in the table has its own login/password, but would an environment variable work for all of them?
anyone else looking into setting things up this way?
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity?view=azuresql
the issue is having a lot of databases that are setup and each has its own login. it would be better to have a single server level login that accesses all databases (or the option anyway) on that server (with multiple server support). And then have at least the password/login in key vault. That allows for password cycling without having to update all the databases in powerserver. The key vault stuff would need to be cached in powerserver (key vault charges per access).