Does Entity Framework Core support database password rotation

asp.net-core-webapi c# entity-framework entity-framework-core

Question

Scenario:

  1. Web Api application in NET Core 2.2, it is deployed on multiple containers.
  2. In Startup, I read from the database password from HashiCorp Vault and put it into my connection string.
  3. I add the Entity Framework Core context to the Service Collection.
  4. I use the context in multiple controllers.

If I change the database password in Vault, all the the requests to the database will fail due to authentication errors.

I can bring all the containers down and when they restart they will have the new password, but that is not what I want to do. There are a few hacky ways of getting around this problem but they involve not using the Service Collection and I want to use it.

Question:

Does EF Core support password rotation, or is there a way to achieve this while still using the Service Collection?

1
0
4/26/2019 7:04:19 PM

Accepted Answer

You should be able to add the DbContext into DI and pass a delegate which creates the instance essentially taking control of the static nature of the connection string and work out the correct one at runtime.

services.AddScoped<YourDbContext>(svc =>
     {
         var connString = ... logic to get the conn string with the right password from HashiCorp vault;
         var dbContextOptions = new DbContextOptionsBuilder<YourDbContext>();
         dbContextOptions.UseSqlServer(connString); //Or w/e ef provider for db you use
         return new YourDbContext(dbContextOptions.Options);
     });
3
4/26/2019 9:37:25 PM

Popular Answer

The simplest solution is to get the username and password from the vault. Then treat it like a key rotation, switching the config to a different username/password, and waiting for the app to stop using the old credentials before changing the password.

Another approach is to re-fetch the credentials before retrying after a failure.



Related Questions





Related

Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow