NetVaultSdk 0.1.1
dotnet add package NetVaultSdk --version 0.1.1
NuGet\Install-Package NetVaultSdk -Version 0.1.1
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="NetVaultSdk" Version="0.1.1" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="NetVaultSdk" Version="0.1.1" />
<PackageReference Include="NetVaultSdk" />
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add NetVaultSdk --version 0.1.1
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: NetVaultSdk, 0.1.1"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package NetVaultSdk@0.1.1
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=NetVaultSdk&version=0.1.1
#tool nuget:?package=NetVaultSdk&version=0.1.1
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
NetVaultSdk
A lightweight .NET client for retrieving application secrets from a NetVault server (a secrets manager similar in purpose to AWS Secrets Manager). The SDK handles authentication with ClientId/ClientSecret and provides a simple API to recover a secret by name.
- Target framework: netstandard2.0 (compatible with .NET Framework 4.6.1+ and .NET Core/.NET 5+)
Features
- Configure via constructor parameters or environment variables
- Optional insecure connection mode for local development (skips TLS certificate validation)
- Strongly-typed secret retrieval with JSON deserialization
- Clear error mapping to custom exceptions
Installation
Nuget installation:
Install-Package NetVaultSdk
Configuration
You can configure the client either explicitly via the constructor or implicitly via environment variables.
Constructor configuration
var client = new NetVaultSdk.NetVaultClient(
clientId: "<YOUR_CLIENT_ID>",
clientSecret: "<YOUR_CLIENT_SECRET>",
baseUrl: "https://vault.example.com",
acceptInsecureConnection: false // true only for local/dev
);
Environment variables
When using the parameterless constructor, the following environment variables are read:
- NV_URL: NetVault base URL (e.g., https://vault.example.com)
- NV_CLIENT_ID: NetVault application/client identifier
- NV_CLIENT_SECRET: NetVault application/client secret
- NV_ACCEPT_INSECURE (optional): true/false to disable TLS certificate validation (development only)
Example:
Environment.SetEnvironmentVariable("NV_CLIENT_ID", "<YOUR_CLIENT_ID>");
Environment.SetEnvironmentVariable("NV_CLIENT_SECRET", "<YOUR_CLIENT_SECRET>");
Environment.SetEnvironmentVariable("NV_URL", "https://vault.example.com");
Environment.SetEnvironmentVariable("NV_ACCEPT_INSECURE", "false");
var client = new NetVaultSdk.NetVaultClient();
Notes:
- If both the constructor parameter
acceptInsecureConnectionand NV_ACCEPT_INSECURE are provided, the environment variable value takes precedence. - When
acceptInsecureConnectionis true (or NV_ACCEPT_INSECURE is true), the client will skip server certificate validation. Use only for development.
Usage
The main API is GetSecretValueAsync<T>(string secretName, Guid? ownerId = null).
- If T is
string, the SDK returns the secret as a plain string. - For other types, the SDK expects the secret to be JSON and deserializes it into
T.
Get a secret as string
var secret = await client.GetSecretValueAsync<string>(
secretName: "my_service_api_key",
ownerId: null // or a specific tenant/project/application Guid if required
);
Get a complex secret as a typed object
public sealed class DbCredentials
{
public string Host { get; set; }
public int Port { get; set; }
public string User { get; set; }
public string Password { get; set; }
}
var credentials = await client.GetSecretValueAsync<DbCredentials>("prod_db_credentials");
Shared secrets
Shared secrets can be get passing the owner id of the secret.
var ownerId = Guid.Parse("cd7e4090-b07d-4725-b863-bcaa11c0750d");
var secret = await client.GetSecretValueAsync<string>("my_scoped_secret", ownerId);
Error handling
GetSecretValueAsync maps NetVault error responses into custom exceptions:
- NvCredentialException (HTTP 403): Invalid credentials (client secret does not work).
- NvForbidException (HTTP 401): Unauthorized (no access to the secret).
- NvKeyException (HTTP 404): Secret not found.
- NvUnhandledException (other errors): Unexpected error category from NetVault.
- NvEnvironmentMissingException: Thrown on startup when a required environment variable is missing.
Example:
try
{
var value = await client.GetSecretValueAsync<string>("my_secret");
}
catch (NetVaultSdk.Exceptions.NvCredentialException ex)
{
// handle 403 Invalid credentials
}
catch (NetVaultSdk.Exceptions.NvForbidException ex)
{
// handle 401 Unauthorized
}
catch (NetVaultSdk.Exceptions.NvKeyException ex)
{
// handle 404 Not Found
}
catch (NetVaultSdk.Exceptions.NvUnhandledException ex)
{
// handle other/unexpected errors
}
How it works
- The client sends a POST to
{baseUrl}/api/v1/secrets/recoverywith the body:- ClientId, ClientSecret, SecretName, OwnerId (optional)
- On success, NetVault returns base64-encoded secret data, which the client decodes:
- If T is
string, returns the decoded string. - Otherwise, deserializes the decoded JSON into T.
- If T is
Development and testing
- For local environments with self-signed certificates, set
NV_ACCEPT_INSECURE=trueor passacceptInsecureConnection: true(development only).
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
| .NET Core | netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
| .NET Standard | netstandard2.0 is compatible. netstandard2.1 was computed. |
| .NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed. |
| MonoAndroid | monoandroid was computed. |
| MonoMac | monomac was computed. |
| MonoTouch | monotouch was computed. |
| Tizen | tizen40 was computed. tizen60 was computed. |
| Xamarin.iOS | xamarinios was computed. |
| Xamarin.Mac | xamarinmac was computed. |
| Xamarin.TVOS | xamarintvos was computed. |
| Xamarin.WatchOS | xamarinwatchos was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
.NETStandard 2.0
- System.Text.Json (>= 9.0.10)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.