Perfect for local development. Credentials are stored outside your project directory.
cd src/PartnershipAgent.WebApi
dotnet user-secrets init
# Set Azure OpenAI credentials
dotnet user-secrets set "AzureOpenAI:Endpoint" "https://your-resource.openai.azure.com/"
dotnet user-secrets set "AzureOpenAI:ApiKey" "your-api-key-here"
dotnet user-secrets set "AzureOpenAI:DeploymentName" "gpt-35-turbo"
# Set ElasticSearch credentials
dotnet user-secrets set "ElasticSearch:Username" "your-username"
dotnet user-secrets set "ElasticSearch:Password" "your-password"
dotnet user-secrets set "ElasticSearch:Uri" "https://your-elastic-cluster.com:9243"
# Set Azure SQL credentials
dotnet user-secrets set "ConnectionStrings:AzureSQL" "Server=tcp:<your-server>.database.windows.net,1433;Initial Catalog=<your-db>;Encrypt=True;TrustServerCertificate=False;Authentication=Active Directory Default;Connection Timeout=30;"dotnet user-secrets listdotnet user-secrets remove "AzureOpenAI:ApiKey"dotnet user-secrets clear✅ Pros:
- Automatically excluded from source control
- Easy to use during development
- IDE integration (Visual Studio)
- Persists across builds
❌ Cons:
- Only works in Development environment
- Local to your machine only
Best for production and CI/CD environments.
# Set environment variables
export AZURE_OPENAI_ENDPOINT="https://your-resource.openai.azure.com/"
export AZURE_OPENAI_API_KEY="your-api-key"
export AZURE_OPENAI_DEPLOYMENT_NAME="gpt-35-turbo"
export ELASTICSEARCH_USERNAME="your-username"
export ELASTICSEARCH_PASSWORD="your-password"set AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com/
set AZURE_OPENAI_API_KEY=your-api-key✅ Pros:
- Works in any environment
- Standard practice for containerized applications
- Supported by most CI/CD platforms
❌ Cons:
- Can be visible in process lists
- Need to set on every machine/environment
Enterprise-grade secret management for production applications.
- Install package:
dotnet add package Azure.Extensions.AspNetCore.Configuration.Secrets- Update Program.cs:
if (!builder.Environment.IsDevelopment())
{
var keyVaultEndpoint = builder.Configuration["KeyVault:Endpoint"];
builder.Configuration.AddAzureKeyVault(
new Uri(keyVaultEndpoint),
new DefaultAzureCredential());
}- Store secrets:
az keyvault secret set --vault-name "your-vault" --name "AzureOpenAI--Endpoint" --value "https://your-resource.openai.azure.com/"
az keyvault secret set --vault-name "your-vault" --name "AzureOpenAI--ApiKey" --value "your-api-key"✅ Pros:
- Enterprise security
- Audit logs
- Access policies
- Automatic rotation
❌ Cons:
- More complex setup
- Additional Azure costs
- Requires Azure infrastructure
Only use for local development if User Secrets aren't available.
Create .env file in project root:
AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com/
AZURE_OPENAI_API_KEY=your-api-key-here
AZURE_OPENAI_DEPLOYMENT_NAME=gpt-35-turbo❌ IMPORTANT: Never commit .env files! They're already in .gitignore.
- ✅
.gitignoreincludes*.env,appsettings.*.json,secrets.json - ✅ User Secrets configured for development
- ✅ Environment variables used for production
- ✅ Real credentials removed from
appsettings.json - ✅ No credentials in source control history
- ✅ Azure Key Vault for enterprise environments
✅ User Secrets initialized - Ready for development
✅ Environment variables supported - Ready for production
✅ Sensitive files in .gitignore - Protected from commits
✅ appsettings.json cleaned - No credentials in source
-
For Development:
cd src/PartnershipAgent.WebApi dotnet user-secrets set "AzureOpenAI:Endpoint" "your-endpoint" dotnet user-secrets set "AzureOpenAI:ApiKey" "your-key" dotnet user-secrets set "AzureOpenAI:DeploymentName" "your-deployment" dotnet run
-
For Production:
export AZURE_OPENAI_ENDPOINT="your-endpoint" export AZURE_OPENAI_API_KEY="your-key" export AZURE_OPENAI_DEPLOYMENT_NAME="your-deployment" dotnet run