Using dotnet secrets

Instead of putting secret environment variables in the appsetting.json file, the dotnet CLI has functionality to add secrets to a project, without keeping them in the project folder.

This will decrease the risk of leaking the secrets, for example by adding them to a commit by mistake.

This link leads to Microsoft's own documentation.

The cheatsheet

dotnet user-secrets --help # See available commands

dotnet user-secrets init # Initiate secrets

dotnet user-secrets set "MY_API_KEY" "xyz" # Set a secret

dotnet user-secrets set "SOME_API.MY_API_KEY" "xyz" # Set a nested secret

cat secrets.json | dotnet user-secrets set # Set all secrets in a json file

dotnet user-secrets list # List the secrets

dotnet user-secrets clear # Delete all secrets in the project

The walkthrough

Initiating

The dotnet user-secrets init command enables storage of secrets. It adds a line with a GUID in the .csproj file. This GUID is used to identify which secrets belong to which project. The command only needs to be run once for every project, if you are sharing your code with other people, they don't need to rerun it.

<UserSecretsId>71ad533a-ed09-4780-9037-a5aafb01958b</UserSecretsId>

The command also creates a folder in ~/.microsoft/usersecrets (on a Mac), with a file contaning the secrets in json format.

~/.microsoft/usersecrets
|
└───71ad533a-ed09-4780-9037-a5aafb01958b
│   └──secrets.json
|
└───<some-other-GUID>
    └──secrets.json

The secrets are saved in plain text in this json file.

Setting secrets

dotnet user-secrets set "MY_API_KEY" "xyz"
dotnet user-secrets set "SOME_API.MY_API_KEY" "xyz"

The commands above are self explanatory and the resulting secrets.json file will look like this:

{
  "MY_API_KEY": "xyz",
  "SOME_API.MY_API_KEY": "xyz"
}

If you are given secrets in the same format as above, these can be imported all at once with the command:

$ cat secrets.json | dotnet user-secrets set
Successfully saved 2 secrets to the secret store.