1. mike S
  2. PowerServer
  3. Saturday, 20 January 2024 19:39 PM UTC

Storing connection strings (really, the passwords and logins) and things like the JWT secret key should be set in something other than the c# code or the appsettings.

 

There are two main recommendations.

1.  the most secure is to use something like azure keyvault and then access it at runtime (additional setup required of course such as setting up certs on the machine)

2. Use environment variables. 

 

Environment variables are super easy to set in containers.  In IIS on a windows server, it is something that takes more effort as you have to connect into the server.  Also, it allows any process to see the environment variable.  IIS supports setting the environment variables in the web.config file on a per application basis, which seems real nice.  see:  https://stackoverflow.com/questions/31049152/publish-to-iis-setting-environment-variable

Powerserver tends to want to overwrite the web.config (you can turn that off).  Apparently, there is a similar file that could be set instead of web.config which should work around this problem.

 

The other thing is the storage of login/password in a database table for dynamic database connections.  Does powerserver support getting that from an environment variable instead?  Each database in the table has its own login/password, but would an environment variable work for all of them?

 

anyone else looking into setting things up this way?

 

 

 

Julie Jiang @Appeon Accepted Answer Pending Moderation
  1. Tuesday, 23 January 2024 02:12 AM UTC
  2. PowerServer
  3. # 1

Hi Mike,

Thanks for your great suggestion. Our engineer will look into it and see whether it is possible to use the environment variables for the said scenarios.

Best regards, Julie

Comment
  1. mike S
  2. Thursday, 25 January 2024 16:04 PM UTC
In addition, I think using managed identities to connect to a sql or postgres database on azure rather than your user name password method would be a great addition too:



https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity?view=azuresql
  1. Helpful
  1. mike S
  2. Tuesday, 30 January 2024 20:10 PM UTC
So at this point i am using azure key vault with managed identities to store database connections and passwords. Although it would be nice to have the typical cascading lookups that .net offers, in my case i would be find with just the key vault access using managed identities.



the issue is having a lot of databases that are setup and each has its own login. it would be better to have a single server level login that accesses all databases (or the option anyway) on that server (with multiple server support). And then have at least the password/login in key vault. That allows for password cycling without having to update all the databases in powerserver. The key vault stuff would need to be cached in powerserver (key vault charges per access).



  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.