I am working on a new ASP.NET Core web project based on Docker and micro services and I'm wondering if there is a way to avoid storing password or sensitive data in the appsettings.json.

My question is how to specify secrets outside of the project so that they can't be accidentally committed to a source code repository (using Azure Key Vault or something else).

My expectation is to combine between two configurations providers for eg some external key store (if there is no other solution or way of handling this kind of purposes) and application configuration.

One common way is to store secrets in an external vault like e.g. Azure Key Vault. There is good documentation on how to do that on Microsoft docs here. It does require come local configuration like e.g. a certificate to provide credentials to the vault.

It will be merged with your other configuration parameters in the order that you self chose (by calling config.AddAzureKeyVault).

To avoid setting this up for local development environment you can use local secrets (dotnet user-secrets command and adding it to configuration the same way). There is documenation on the same URL about that as well. Be aware that it is no secure store, it's just a file on disk in plain text in practice.

P.S. It is possible to something that won't involve external provider. In the previous .Net ecosystem it was called web.config encryption. Basically you encrypted sections of web.config and the key was stored in windows with only given accounts who had access to it. It was quite a nightmarish experience, but no external provider was used. You can do something similar to that approach, but I don't know if there is something out of the box for .net core for that.

You can store credentials using Environment Variables, then put it in the config file.

Please refer to this link:

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/environments?view=aspnetcore-2.2