Does Entity Framework Core support database password rotation

Related searches

Scenario:

  1. Web Api application in NET Core 2.2, it is deployed on multiple containers.
  2. In Startup, I read from the database password from HashiCorp Vault and put it into my connection string.
  3. I add the Entity Framework Core context to the Service Collection.
  4. I use the context in multiple controllers.

If I change the database password in Vault, all the the requests to the database will fail due to authentication errors.

I can bring all the containers down and when they restart they will have the new password, but that is not what I want to do. There are a few hacky ways of getting around this problem but they involve not using the Service Collection and I want to use it.

Question:

Does EF Core support password rotation, or is there a way to achieve this while still using the Service Collection?

You should be able to add the DbContext into DI and pass a delegate which creates the instance essentially taking control of the static nature of the connection string and work out the correct one at runtime.

services.AddScoped<YourDbContext>(svc =>
     {
         var connString = ... logic to get the conn string with the right password from HashiCorp vault;
         var dbContextOptions = new DbContextOptionsBuilder<YourDbContext>();
         dbContextOptions.UseSqlServer(connString); //Or w/e ef provider for db you use
         return new YourDbContext(dbContextOptions.Options);
     });

Does Entity Framework Core support database password rotation, You should be able to add the DbContext into DI and pass a delegate which creates the instance essentially taking control of the static nature of� To use Entity Framework Core with a MySQL database, do the following: Install the MySql.Data.EntityFrameworkCore NuGet package. All packages will install the additional packages required to run your application.

Since the database password is read from HashiCorp vault during the start up, perhaps you could consider using healthcheck feature (https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/health-checks?view=aspnetcore-2.2) to set up a live health check endpoint.

Then use your container management tool to probe the endpoint and restart the container should it fails (i.e., unable to connect to the DB due to connection string being obsolete).

Reverse Engineering, If you have an ASP.NET Core project, you can use the tool to keep your database password separate from your codebase. In addition, some column types may not be supported by the EF Core Feel free to change it. Encrypt your connection to protect sensitive data. The Entity Framework does not directly handle data encryption. If users access data over a public network, your application should establish an encrypted connection to the data source to increase security. For more information, see the security-related documentation for your data source.

The simplest solution is to get the username and password from the vault. Then treat it like a key rotation, switching the config to a different username/password, and waiting for the app to stop using the old credentials before changing the password.

Another approach is to re-fetch the credentials before retrying after a failure.

Entity Framework Core with Existing Database, EF Core does not support visual designer for DB model and wizard to create the Use Scaffold-DbContext to create a model based on your existing database. commands whenever you change the model to keep the database up to date� This post shows you how to easily switching between using different databases (DBContext’s) whislt allowing for database specific settings to be easily configured In this sample we have a Person…

7.2.2 Scaffolding an Existing Database in EF Core, Scaffolding a database produces an Entity Framework model from an existing scaffolding is not supported with all versions of Connector/NET (see Table 7.2, NET Core command-line interface (CLI) and then change to the newly the connection-string values to match your settings for the user= and password= options): This tutorial is a part of Entity Framework Core series. 1. Introduction to Entity Framework Core; 2. Installation of Entity Framework Core; 3. Database-First approach in Entity Framework Core; 4. DbContext Class in Entity Framework Core; 5. Code-First Approach in Entity Framework Core; 6. Migrations in Entity Framework Core; 7. Insert Records

Using EntityFramework Core for configuration and , Given EF's flexibility, you can then use any EF-supported database. For this As IdentityServer's models change, so will the entity classes in IdentityServer4. Important. EF Core providers are built by a variety of sources. Not all providers are maintained as part of the Entity Framework Core Project.When considering a provider, be sure to evaluate quality, licensing, support, etc. to ensure they meet your requirements.

Setup and working Entity Framework Database First. Entity Framework's Database First approach allows developers to build software applications from their existing databases. You connect to an exisitng database and Visual Studio and EF build a data object model and the complete application for you with very little code.

Comments
  • Are you basically asking on how to control db context connection string at runtime?
  • That the context resides in the service collection is a big part of this, and there is also a concern about failed requests when the password changes. So it is more than just changing the connection string at runtime. But if you have a suggestion on doing that, it might be helpful.
  • So you can just add a dbcontext as transient service and pass a delegate which would create the instance of the db context. This way you would remove the static nature of connection string and would be able to take control of db context object creation at runtime.
  • Interesting, if you have a one or two liner example, please add it an answer and I'll try it out and accept if it works. Thanks.
  • You've already marked an answer, but the solution here may also be interesting for you. I think that when the password changes, the IOptions will replace it automatically.