As developers, we’ve all done this at least once. We’ve spent time building a cool project that uses a third party API, and then checked it into Github only to realize our API password is there in plain text for all to see. Do a search in Github to see how frequently this still happens.

When I’m writing code for the first time I hard code those values in my code to get things working and then go to commit it to source control. That’s about the time I remember saving passwords into source control is one of the seven Deadly Sins of Security.

If you’re coding in .NET, the Secret Manager makes it easy to remove these sensitive details before checking your code in. It saves those passwords in your environment variables on your machine.

Let’s say you find yourself building an app that searches for music on Spotify. To search Spotify’s API, you’ll need a client ID and secret. We will replace the hardcoded passwords in our project with the Secret Manager to keep those sensitive details out of source control. When you’re done with this tutorial, you’ll have a functional SMS jukebox that uses the Spotify API.

Ingredients for This Recipe

We’ve got a few tools to install in order to complete this challenge (skip 1-4 if you already have Visual Studio Core setup):

Add Secret Manager to an ASP.NET Core Web API Project

Let’s grab a copy of an existing project from my Git repo. This project is an SMS Jukebox that uses the body of incoming SMS to lookup music data. To get started, use this to clone the project locally: git clone "https://github.com/clw895/SpotifySMS.git" SecretProject . I’ve cloned it to ~/Code/SecretProject but it is totally cool to save it in a different path! Next open the folder in Visual Studio Code and try out the steps below: