Does Entity Framework Core support database password rotation
asp.net-core-webapi c# entity-framework entity-framework-core
Question
Scenario:
- Web Api application in NET Core 2.2, it is deployed on multiple containers.
- In Startup, I read from the database password from HashiCorp Vault and put it into my connection string.
- I add the Entity Framework Core context to the Service Collection.
- I use the context in multiple controllers.
If I change the database password in Vault, all the the requests to the database will fail due to authentication errors.
I can bring all the containers down and when they restart they will have the new password, but that is not what I want to do. There are a few hacky ways of getting around this problem but they involve not using the Service Collection and I want to use it.
Question:
Does EF Core support password rotation, or is there a way to achieve this while still using the Service Collection?
Accepted Answer
You should be able to add the DbContext into DI and pass a delegate which creates the instance essentially taking control of the static nature of the connection string and work out the correct one at runtime.
services.AddScoped<YourDbContext>(svc =>
{
var connString = ... logic to get the conn string with the right password from HashiCorp vault;
var dbContextOptions = new DbContextOptionsBuilder<YourDbContext>();
dbContextOptions.UseSqlServer(connString); //Or w/e ef provider for db you use
return new YourDbContext(dbContextOptions.Options);
});
Popular Answer
The simplest solution is to get the username and password from the vault. Then treat it like a key rotation, switching the config to a different username/password, and waiting for the app to stop using the old credentials before changing the password.
Another approach is to re-fetch the credentials before retrying after a failure.
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow