Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Data Protection docs to include default behavior when deploying ASP.NET Core apps to ACA #32530

Open
claudiaregio opened this issue May 6, 2024 · 0 comments · May be fixed by #33104
Open
Assignees
Labels
aspnet-core/svc security/subsvc seQUESTered Identifies that an issue has been imported into Quest. Source - Docs.ms Docs Customer feedback via GitHub Issue

Comments

@claudiaregio
Copy link
Contributor

claudiaregio commented May 6, 2024

Description

Current scenario: ASP.NET Core apps that need to encrypt ephemeral data use Data Protection. If a developer does not configure Data Protection, it defaults to storing the keys on disk. This works fine for single instance applications, but when these apps are deployed to ACA that auto-scales, the app breaks because there is currently​ no way to share the keys between these instances without explicit configuration by the app author.

Changes: Now, when a user creates a new ASP.NET Core app that pulls in Data Protection, an environment variable that has been added will put Data Protection in read-only mode by default (dotnet/aspnetcore#54266). If a user decides to configure data protection themselves, it will override the default. This change has been backported to .NET 8 so it will work for any version 8 or higher. When ACA detects a .NET app is being deployed, they set their environment variable "autoConfigureDataProtection" to true and will spin up a key manager and will handle the writing/sharing keys across multiple instances when the app auto-scales (Azure/azure-rest-api-specs#28001). This allows ASP.NET Core apps that pull in Data Protection to easily scale horizontally when deployed to ACA by providing a default configuration.

Ask: This is a high-priority end-to-end scenario so I'd like to add docs specific to the default behavior when deploying an ASP.NET Core app to Azure Container Apps that talk about the new default behavior.

Will need to be reviewed by @amcasey, @adityamandaleeka, @bradygaster, @AnqiLi6, @blowdart

Ideal ship timeline: May 21st - May 27th

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/introduction?view=aspnetcore-8.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/data-protection/introduction.md

Document ID

d42b1eab-9682-ea69-f203-e519b456a56f

Article author

@Rick-Anderson


Associated WorkItem - 252761

@Rick-Anderson Rick-Anderson self-assigned this May 6, 2024
@Rick-Anderson Rick-Anderson added reQUEST Triggers an issue to be imported into Quest and removed ⌚ Not Triaged labels May 6, 2024
@sequestor sequestor bot added seQUESTered Identifies that an issue has been imported into Quest. and removed reQUEST Triggers an issue to be imported into Quest labels May 7, 2024
This was referenced May 8, 2024
@Rick-Anderson Rick-Anderson moved this from 🔖 Ready to 👀 In review in dotnet/AspNetCore.Docs May 2024 sprint May 23, 2024
@Rick-Anderson Rick-Anderson moved this from 🔖 Ready to 👀 In review in dotnet/AspNetCore.Docs June 2024 sprint Jun 26, 2024
@Rick-Anderson Rick-Anderson moved this from 🔖 Ready to 🏗 In progress in dotnet/AspNetCore.Docs July 2024 sprint Jun 26, 2024
@Rick-Anderson Rick-Anderson linked a pull request Jul 17, 2024 that will close this issue
@Rick-Anderson Rick-Anderson moved this from 🏗 In progress to 👀 In review in dotnet/AspNetCore.Docs July 2024 sprint Jul 23, 2024
@Rick-Anderson Rick-Anderson added the mapQuest clean move label Aug 14, 2024
@BillWagner BillWagner removed the mapQuest clean move label Aug 20, 2024
@Rick-Anderson Rick-Anderson added the mapQuest clean move label Sep 17, 2024
@adegeo adegeo removed the mapQuest clean move label Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
aspnet-core/svc security/subsvc seQUESTered Identifies that an issue has been imported into Quest. Source - Docs.ms Docs Customer feedback via GitHub Issue
Projects
Status: To do
5 participants