Tutorials ASP.NET Core Complete Tutorial (ShopNest)

Environment Configuration and Secrets Management

Learn Environment Configuration and Secrets Management in our free ASP.NET Core Complete Tutorial (ShopNest) series. Step-by-step explanations, examples, and interview tips on Toolliyo Academy.

On this page
Environment Configuration and Secrets Management — ShopNest
Article 64 of 75 · Module 8: Deployment & DevOps · ShopNest Multi-Environment App
Target keyword: secrets management asp.net core · Read time: ~28 min · .NET: 8 / 9 · Project: ShopNest Multi-Environment App

Introduction

ShopNest Dev, Staging, and Production must never share the same JWT keys or payment secrets — this lesson ties together User Secrets, Azure Key Vault, validation, and Git secret scanning.

After this article you will

  • Separate configs per environment
  • Use User Secrets locally and Key Vault in prod
  • Validate configuration on startup (fail fast)
  • Rotate secrets without redeploy where possible
  • Prevent secrets in Git with scanning

Prerequisites

Concept deep-dive

// Fail fast — Options validation
public class PaymentOptions
{
    [Required] public string RazorpayKeyId { get; set; } = "";
    [Required] public string RazorpayKeySecret { get; set; } = "";
}
builder.Services.AddOptions<PaymentOptions>()
    .BindConfiguration("Payment")
    .ValidateDataAnnotations()
    .ValidateOnStart();

// Azure Key Vault (.NET 8)
builder.Configuration.AddAzureKeyVault(
    new Uri($"https://{vaultName}.vault.azure.net/"),
    new DefaultAzureCredential());

Hierarchy: appsettings → environment file → User Secrets (Dev) → env vars → Key Vault (Prod).

Git: enable GitHub secret scanning; use gitleaks in pre-commit; never commit appsettings.Production.json with keys.

Hands-on — ShopNest Multi-Environment App

  1. dotnet user-secrets set Payment:RazorpayKeySecret in Dev.
  2. Create Key Vault; add secrets; wire AddAzureKeyVault.
  3. ValidateOnStart catches missing Payment section at boot.
  4. GitHub push protection for API keys.

Common errors & best practices

  • Same JWT key Dev and Prod — token replay across environments.
  • Key Vault access not granted to App Service identity.
  • Logging configuration dumps secrets at Information level.

Interview questions

Q: User Secrets vs Key Vault?
A: User Secrets local dev only; Key Vault HSM-backed production store.

Q: ValidateOnStart?
A: App refuses to boot if required config missing — fail fast in deploy.

Summary

  • Never commit production secrets to Git
  • Key Vault + Managed Identity for Azure ShopNest
  • ValidateOnStart catches misconfiguration early
  • Secret scanning in CI prevents leaks

Previous: Azure SQL Database
Next: Build a Complete Blog Website

FAQ

HashiCorp Vault?

On-prem/cloud alternative when not on Azure.

Rotate JWT key?

Dual signing keys period; invalidate refresh tokens if needed.

Questions on this lesson 0

Sign in to ask a question or upvote helpful answers.

No questions yet — be the first to ask!

ASP.NET Core Complete Tutorial (ShopNest)
Course syllabus
Module 1: Foundations
Module 2: Entity Framework Core
Module 3: Dependency Injection & Middleware
Module 4: Authentication & Security
Module 5: Web API
Module 6: Advanced Architecture
Module 7: Testing
Module 8: Deployment & DevOps
Module 9: Real-World Projects
Module 10: Advanced Topics
Toolliyo Assistant
Ask about tutorials, ebooks, training, pricing, mentor services, and support. I use public site content only—not admin or internal tools.

care@toolliyo.com

Need callback? Share your details