Merge pull request #414 from NuGet/agr-kv-lib-upgrade3

erdembayar · web-flow · commit 7a8fad835fb9 · 2023-09-11T08:45:49.000-07:00
Transition from Microsoft.Azure.KeyVault to Azure.Security.KeyVault
diff --git a/src/NuGet.Services.Configuration/ConfigurationRootSecretReaderFactory.cs b/src/NuGet.Services.Configuration/ConfigurationRootSecretReaderFactory.cs
@@ -12,6 +12,7 @@ public class ConfigurationRootSecretReaderFactory : ISecretReaderFactory
     {
         private string _vaultName;
         private bool _useManagedIdentity;
+        private string _tenantId;
         private string _clientId;
         private string _certificateThumbprint;
         private string _storeName;
@@ -34,6 +35,7 @@ public ConfigurationRootSecretReaderFactory(IConfigurationRoot config)
                 _useManagedIdentity = bool.Parse(useManagedIdentity);
             }
 
+            _tenantId = config[Constants.KeyVaultTenantIdKey];
             _clientId = config[Constants.KeyVaultClientIdKey];
             _certificateThumbprint = config[Constants.KeyVaultCertificateThumbprintKey];
             if (_useManagedIdentity && IsCertificateConfigurationProvided())
@@ -68,7 +70,7 @@ public ISecretReader CreateSecretReader()
 
             if (_useManagedIdentity)
             {
-                keyVaultConfiguration = new KeyVaultConfiguration(_vaultName);
+                keyVaultConfiguration = new KeyVaultConfiguration(_vaultName, _clientId);
             }
             else
             {
@@ -83,7 +85,8 @@ public ISecretReader CreateSecretReader()
                     _validateCertificate);
 
                 keyVaultConfiguration = new KeyVaultConfiguration(
-                    _vaultName,                
+                    _vaultName,
+                    _tenantId,
                     _clientId,
                     certificate,
                     _sendX5c);
@@ -99,8 +102,8 @@ public ISecretInjector CreateSecretInjector(ISecretReader secretReader)
 
         private bool IsCertificateConfigurationProvided()
         {
-            return !string.IsNullOrEmpty(_clientId)
-                || !string.IsNullOrEmpty(_certificateThumbprint);
+            return !string.IsNullOrEmpty(_certificateThumbprint)
+                || !string.IsNullOrEmpty(_tenantId);
         }
     }
 }
diff --git a/src/NuGet.Services.Configuration/Constants.cs b/src/NuGet.Services.Configuration/Constants.cs
@@ -7,6 +7,7 @@ public static class Constants
     {
         public static string KeyVaultVaultNameKey = "KeyVault_VaultName";
         public static string KeyVaultUseManagedIdentity = "KeyVault_UseManagedIdentity";
+        public static string KeyVaultTenantIdKey = "KeyVault_TenantId";
         public static string KeyVaultClientIdKey = "KeyVault_ClientId";
         public static string KeyVaultCertificateThumbprintKey = "KeyVault_CertificateThumbprint";
         public static string KeyVaultValidateCertificateKey = "KeyVault_ValidateCertificate";
diff --git a/src/NuGet.Services.KeyVault/KeyVaultConfiguration.cs b/src/NuGet.Services.KeyVault/KeyVaultConfiguration.cs
@@ -10,6 +10,7 @@ public class KeyVaultConfiguration
     {
         public string VaultName { get; }
         public bool UseManagedIdentity { get; }
+        public string TenantId { get; }
         public string ClientId { get; }
         public X509Certificate2 Certificate { get; }
         public bool SendX5c { get; }
@@ -18,6 +19,13 @@ public class KeyVaultConfiguration
         /// The constructor for keyvault configuration when using managed identities
         /// </summary>
         public KeyVaultConfiguration(string vaultName)
+            : this(vaultName, clientId : null)
+        { }
+
+        /// <summary>
+        /// The constructor for keyvault configuration when using managed identities
+        /// </summary>
+        public KeyVaultConfiguration(string vaultName, string clientId)
         {
             if (string.IsNullOrWhiteSpace(vaultName))
             {
@@ -26,16 +34,18 @@ public KeyVaultConfiguration(string vaultName)
 
             VaultName = vaultName;
             UseManagedIdentity = true;
+            ClientId = clientId;
         }
 
         /// <summary>
         /// The constructor for keyvault configuration when using the certificate
         /// </summary>
         /// <param name="vaultName">The name of the keyvault</param>
+        /// <param name="tenantId">AAD tenant ID where respective client app is registered.</param>
         /// <param name="clientId">Keyvault client id</param>
         /// <param name="certificate">Certificate required to access the keyvault</param>
         /// <param name="sendX5c">SendX5c property</param>
-        public KeyVaultConfiguration(string vaultName, string clientId, X509Certificate2 certificate, bool sendX5c = false)
+        public KeyVaultConfiguration(string vaultName, string tenantId, string clientId, X509Certificate2 certificate, bool sendX5c = false)
         {
             if (string.IsNullOrWhiteSpace(vaultName))
             {
@@ -48,6 +58,7 @@ public KeyVaultConfiguration(string vaultName, string clientId, X509Certificate2
             }
 
             UseManagedIdentity = false;
+            TenantId = tenantId;
             VaultName = vaultName;
             ClientId = clientId;
             Certificate = certificate ?? throw new ArgumentNullException(nameof(certificate));
diff --git a/src/NuGet.Services.KeyVault/KeyVaultReader.cs b/src/NuGet.Services.KeyVault/KeyVaultReader.cs
@@ -3,10 +3,11 @@
 
 using System;
 using System.Threading.Tasks;
-using Microsoft.Azure.KeyVault;
-using Microsoft.Azure.Services.AppAuthentication;
+using Azure.Core;
+using Azure.Identity;
+using Azure.Security.KeyVault.Secrets;
 using Microsoft.Extensions.Logging;
-using Microsoft.IdentityModel.Clients.ActiveDirectory;
+using AzureSecurityKeyVaultSecret = Azure.Security.KeyVault.Secrets.KeyVaultSecret;
 
 namespace NuGet.Services.KeyVault
 {
@@ -17,12 +18,9 @@ namespace NuGet.Services.KeyVault
     public class KeyVaultReader : ISecretReader
     {
         private readonly KeyVaultConfiguration _configuration;
-        private readonly string _vault;
-        private readonly Lazy<KeyVaultClient> _keyVaultClient;
-        private ClientAssertionCertificate _clientAssertionCertificate;
+        private readonly Lazy<SecretClient> _keyVaultClient;
 
-        protected string VaultBaseUrl => _vault;
-        protected KeyVaultClient KeyVaultClient => _keyVaultClient.Value;
+        protected SecretClient KeyVaultClient => _keyVaultClient.Value;
 
         public KeyVaultReader(KeyVaultConfiguration configuration)
         {
@@ -32,8 +30,7 @@ public KeyVaultReader(KeyVaultConfiguration configuration)
             }
 
             _configuration = configuration;
-            _vault = $"https://{_configuration.VaultName}.vault.azure.net/";
-            _keyVaultClient = new Lazy<KeyVaultClient>(InitializeClient);
+            _keyVaultClient = new Lazy<SecretClient>(InitializeClient);
         }
 
         public async Task<string> GetSecretAsync(string secretName)
@@ -43,7 +40,7 @@ public async Task<string> GetSecretAsync(string secretName)
 
         public async Task<string> GetSecretAsync(string secretName, ILogger logger)
         {
-            var secret = await _keyVaultClient.Value.GetSecretAsync(_vault, secretName);
+            AzureSecurityKeyVaultSecret secret = await _keyVaultClient.Value.GetSecretAsync(secretName);
             return secret.Value;
         }
 
@@ -54,36 +51,36 @@ public async Task<ISecret> GetSecretObjectAsync(string secretName)
 
         public async Task<ISecret> GetSecretObjectAsync(string secretName, ILogger logger)
         {
-            var secret = await _keyVaultClient.Value.GetSecretAsync(_vault, secretName);
-            return new KeyVaultSecret(secretName, secret.Value, secret.Attributes.Expires);
+            AzureSecurityKeyVaultSecret secret = await _keyVaultClient.Value.GetSecretAsync(secretName);
+            return new KeyVaultSecret(secretName, secret.Value, secret.Properties.ExpiresOn);
         }
 
-        private KeyVaultClient InitializeClient()
+        private SecretClient InitializeClient()
         {
+            TokenCredential credential = null;
+
             if (_configuration.UseManagedIdentity)
             {
-                var azureServiceTokenProvider = new AzureServiceTokenProvider();
-                return new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
+                if (string.IsNullOrEmpty(_configuration.ClientId))
+                {
+                    credential = new DefaultAzureCredential();
+                }
+                else
+                {
+                    credential = new ManagedIdentityCredential(_configuration.ClientId);
+                }
             }
             else
             {
-                _clientAssertionCertificate = new ClientAssertionCertificate(_configuration.ClientId, _configuration.Certificate);
-                return new KeyVaultClient(GetTokenAsync);
+                credential = new ClientCertificateCredential(_configuration.TenantId, _configuration.ClientId, _configuration.Certificate);
             }
+            return new SecretClient(GetKeyVaultUri(_configuration), credential);
         }
 
-        private async Task<string> GetTokenAsync(string authority, string resource, string scope)
+        private Uri GetKeyVaultUri(KeyVaultConfiguration keyVaultConfiguration)
         {
-            var authContext = new AuthenticationContext(authority);
-            var result = await authContext.AcquireTokenAsync(resource, _clientAssertionCertificate, _configuration.SendX5c);
-
-            if (result == null)
-            {
-                throw new InvalidOperationException("Bearer token acquisition needed to call the KeyVault service failed");
-            }
-
-            return result.AccessToken;
+            var uriString = $"https://{keyVaultConfiguration.VaultName}.vault.azure.net/";
+            return new Uri(uriString);
         }
     }
-
 }
diff --git a/src/NuGet.Services.KeyVault/KeyVaultWriter.cs b/src/NuGet.Services.KeyVault/KeyVaultWriter.cs
@@ -3,8 +3,9 @@
 
 using System;
 using System.Threading.Tasks;
-using Microsoft.Azure.KeyVault;
-using Microsoft.Azure.KeyVault.Models;
+using Azure.Core;
+using Azure.Identity;
+using Azure.Security.KeyVault.Secrets;
 
 namespace NuGet.Services.KeyVault
 {
@@ -19,16 +20,10 @@ public async Task SetSecretAsync(
             string secretValue,
             DateTimeOffset? expiration = null)
         {
-            SecretAttributes attributes = null;
-            if (expiration.HasValue)
-            {
-                attributes = new SecretAttributes
-                {
-                    Expires = expiration.Value.UtcDateTime,
-                };
-            }
+            var secret = new Azure.Security.KeyVault.Secrets.KeyVaultSecret(secretName, secretValue);
+            secret.Properties.ExpiresOn = expiration;
 
-            await KeyVaultClient.SetSecretAsync(VaultBaseUrl, secretName, secretValue, secretAttributes: attributes);
+            await KeyVaultClient.SetSecretAsync(secret);
         }
     }
 }
diff --git a/src/NuGet.Services.KeyVault/NuGet.Services.KeyVault.csproj b/src/NuGet.Services.KeyVault/NuGet.Services.KeyVault.csproj
@@ -6,12 +6,8 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Azure.KeyVault">
-      <Version>3.0.5</Version>
-    </PackageReference>
-    <PackageReference Include="Microsoft.Azure.Services.AppAuthentication">
-      <Version>1.4.0</Version>
-    </PackageReference>
+    <PackageReference Include="Azure.Identity" Version="1.8.0" />
+    <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.4.0" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions">
       <Version>2.2.0</Version>
     </PackageReference>
diff --git a/tools/AzureSqlConnectionTest/TestApplication.cs b/tools/AzureSqlConnectionTest/TestApplication.cs
@@ -17,6 +17,8 @@ public class TestApplication : CommandLineApplication
         public CommandOption Help { get; }
 
         public CommandOption KeyVaultName { get; }
+        public CommandOption KeyVaultManaged { get; }
+        public CommandOption KeyVaultTenantId { get; }
 
         public CommandOption KeyVaultClientId { get; }
 
@@ -41,6 +43,8 @@ public TestApplication()
             Help = HelpOption("-? | -h | --help");
 
             KeyVaultName = Option("-kv | --keyVaultName", "KeyVault name", CommandOptionType.SingleValue);
+            KeyVaultManaged = Option("-kvm | --keyVaultUseMsi", "Use managed identity for KV authentication", CommandOptionType.NoValue);
+            KeyVaultTenantId = Option("-kvtid | --keyVaultTenantId", "KeyVault tenant id", CommandOptionType.SingleValue);
             KeyVaultClientId = Option("-kvcid | --keyVaultClientId", "KeyVault client id", CommandOptionType.SingleValue);
             KeyVaultCertificateThumbprint = Option("-kvct | --keyVaultCertThumbprint", "KeyVault certificate thumbprint", CommandOptionType.SingleValue);
 
@@ -74,15 +78,25 @@ public async Task<int> ExecuteAsync()
                 var useAdalOnly = UseAdalOnly.HasValue();
 
                 if (KeyVaultName.HasValue()
-                    && KeyVaultClientId.HasValue()
-                    && KeyVaultCertificateThumbprint.HasValue())
+                    && ((KeyVaultClientId.HasValue()
+                    && KeyVaultCertificateThumbprint.HasValue()) || KeyVaultManaged.HasValue()))
                 {
-                    using (var kvCertificate = GetKeyVaultCertificate(KeyVaultCertificateThumbprint.Value()))
+                    using (var kvCertificate = KeyVaultManaged.HasValue() ? null : GetKeyVaultCertificate(KeyVaultCertificateThumbprint.Value()))
                     {
-                        var keyVaultConfig = new KeyVaultConfiguration(
-                            KeyVaultName.Value(),
-                            KeyVaultClientId.Value(),
-                            kvCertificate);
+                        KeyVaultConfiguration keyVaultConfig;
+                        if (KeyVaultManaged.HasValue())
+                        {
+                            keyVaultConfig = new KeyVaultConfiguration(KeyVaultName.Value());
+                        }
+                        else
+                        {
+                            keyVaultConfig = new KeyVaultConfiguration(
+                                KeyVaultName.Value(),
+                                KeyVaultTenantId.Value(),
+                                KeyVaultClientId.Value(),
+                                kvCertificate,
+                                sendX5c: true);
+                        }
 
                         var runner = new TestRunner(
                             ConnectionString.Value(),

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ public class ConfigurationRootSecretReaderFactory : ISecretReaderFactory`
`12`	`12`	`{`
`13`	`13`	`private string _vaultName;`
`14`	`14`	`private bool _useManagedIdentity;`
	`15`	`+ private string _tenantId;`
`15`	`16`	`private string _clientId;`
`16`	`17`	`private string _certificateThumbprint;`
`17`	`18`	`private string _storeName;`
`@@ -34,6 +35,7 @@ public ConfigurationRootSecretReaderFactory(IConfigurationRoot config)`
`34`	`35`	`_useManagedIdentity = bool.Parse(useManagedIdentity);`
`35`	`36`	`}`
`36`	`37`
	`38`	`+ _tenantId = config[Constants.KeyVaultTenantIdKey];`
`37`	`39`	`_clientId = config[Constants.KeyVaultClientIdKey];`
`38`	`40`	`_certificateThumbprint = config[Constants.KeyVaultCertificateThumbprintKey];`
`39`	`41`	`if (_useManagedIdentity && IsCertificateConfigurationProvided())`
`@@ -68,7 +70,7 @@ public ISecretReader CreateSecretReader()`
`68`	`70`
`69`	`71`	`if (_useManagedIdentity)`
`70`	`72`	`{`
`71`		`- keyVaultConfiguration = new KeyVaultConfiguration(_vaultName);`
	`73`	`+ keyVaultConfiguration = new KeyVaultConfiguration(_vaultName, _clientId);`
`72`	`74`	`}`
`73`	`75`	`else`
`74`	`76`	`{`
`@@ -83,7 +85,8 @@ public ISecretReader CreateSecretReader()`
`83`	`85`	`_validateCertificate);`
`84`	`86`
`85`	`87`	`keyVaultConfiguration = new KeyVaultConfiguration(`
`86`		`- _vaultName,`
	`88`	`+ _vaultName,`
	`89`	`+ _tenantId,`
`87`	`90`	`_clientId,`
`88`	`91`	`certificate,`
`89`	`92`	`_sendX5c);`
`@@ -99,8 +102,8 @@ public ISecretInjector CreateSecretInjector(ISecretReader secretReader)`
`99`	`102`
`100`	`103`	`private bool IsCertificateConfigurationProvided()`
`101`	`104`	`{`
`102`		`- return !string.IsNullOrEmpty(_clientId)`
`103`		`- \|\| !string.IsNullOrEmpty(_certificateThumbprint);`
	`105`	`+ return !string.IsNullOrEmpty(_certificateThumbprint)`
	`106`	`+ \|\| !string.IsNullOrEmpty(_tenantId);`
`104`	`107`	`}`
`105`	`108`	`}`
`106`	`109`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ public static class Constants`
`7`	`7`	`{`
`8`	`8`	`public static string KeyVaultVaultNameKey = "KeyVault_VaultName";`
`9`	`9`	`public static string KeyVaultUseManagedIdentity = "KeyVault_UseManagedIdentity";`
	`10`	`+ public static string KeyVaultTenantIdKey = "KeyVault_TenantId";`
`10`	`11`	`public static string KeyVaultClientIdKey = "KeyVault_ClientId";`
`11`	`12`	`public static string KeyVaultCertificateThumbprintKey = "KeyVault_CertificateThumbprint";`
`12`	`13`	`public static string KeyVaultValidateCertificateKey = "KeyVault_ValidateCertificate";`
Original file line number	Diff line number	Diff line change
`@@ -3,10 +3,11 @@`
`3`	`3`
`4`	`4`	`using System;`
`5`	`5`	`using System.Threading.Tasks;`
`6`		`-using Microsoft.Azure.KeyVault;`
`7`		`-using Microsoft.Azure.Services.AppAuthentication;`
	`6`	`+using Azure.Core;`
	`7`	`+using Azure.Identity;`
	`8`	`+using Azure.Security.KeyVault.Secrets;`
`8`	`9`	`using Microsoft.Extensions.Logging;`
`9`		`-using Microsoft.IdentityModel.Clients.ActiveDirectory;`
	`10`	`+using AzureSecurityKeyVaultSecret = Azure.Security.KeyVault.Secrets.KeyVaultSecret;`
`10`	`11`
`11`	`12`	`namespace NuGet.Services.KeyVault`
`12`	`13`	`{`
`@@ -17,12 +18,9 @@ namespace NuGet.Services.KeyVault`
`17`	`18`	`public class KeyVaultReader : ISecretReader`
`18`	`19`	`{`
`19`	`20`	`private readonly KeyVaultConfiguration _configuration;`
`20`		`- private readonly string _vault;`
`21`		`- private readonly Lazy<KeyVaultClient> _keyVaultClient;`
`22`		`- private ClientAssertionCertificate _clientAssertionCertificate;`
	`21`	`+ private readonly Lazy<SecretClient> _keyVaultClient;`
`23`	`22`
`24`		`- protected string VaultBaseUrl => _vault;`
`25`		`- protected KeyVaultClient KeyVaultClient => _keyVaultClient.Value;`
	`23`	`+ protected SecretClient KeyVaultClient => _keyVaultClient.Value;`
`26`	`24`
`27`	`25`	`public KeyVaultReader(KeyVaultConfiguration configuration)`
`28`	`26`	`{`
`@@ -32,8 +30,7 @@ public KeyVaultReader(KeyVaultConfiguration configuration)`
`32`	`30`	`}`
`33`	`31`
`34`	`32`	`_configuration = configuration;`
`35`		`- _vault = $"https://{_configuration.VaultName}.vault.azure.net/";`
`36`		`- _keyVaultClient = new Lazy<KeyVaultClient>(InitializeClient);`
	`33`	`+ _keyVaultClient = new Lazy<SecretClient>(InitializeClient);`
`37`	`34`	`}`
`38`	`35`
`39`	`36`	`public async Task<string> GetSecretAsync(string secretName)`
`@@ -43,7 +40,7 @@ public async Task<string> GetSecretAsync(string secretName)`
`43`	`40`
`44`	`41`	`public async Task<string> GetSecretAsync(string secretName, ILogger logger)`
`45`	`42`	`{`
`46`		`- var secret = await _keyVaultClient.Value.GetSecretAsync(_vault, secretName);`
	`43`	`+ AzureSecurityKeyVaultSecret secret = await _keyVaultClient.Value.GetSecretAsync(secretName);`
`47`	`44`	`return secret.Value;`
`48`	`45`	`}`
`49`	`46`
`@@ -54,36 +51,36 @@ public async Task<ISecret> GetSecretObjectAsync(string secretName)`
`54`	`51`
`55`	`52`	`public async Task<ISecret> GetSecretObjectAsync(string secretName, ILogger logger)`
`56`	`53`	`{`
`57`		`- var secret = await _keyVaultClient.Value.GetSecretAsync(_vault, secretName);`
`58`		`- return new KeyVaultSecret(secretName, secret.Value, secret.Attributes.Expires);`
	`54`	`+ AzureSecurityKeyVaultSecret secret = await _keyVaultClient.Value.GetSecretAsync(secretName);`
	`55`	`+ return new KeyVaultSecret(secretName, secret.Value, secret.Properties.ExpiresOn);`
`59`	`56`	`}`
`60`	`57`
`61`		`- private KeyVaultClient InitializeClient()`
	`58`	`+ private SecretClient InitializeClient()`
`62`	`59`	`{`
	`60`	`+ TokenCredential credential = null;`
	`61`	`+`
`63`	`62`	`if (_configuration.UseManagedIdentity)`
`64`	`63`	`{`
`65`		`- var azureServiceTokenProvider = new AzureServiceTokenProvider();`
`66`		`- return new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));`
	`64`	`+ if (string.IsNullOrEmpty(_configuration.ClientId))`
	`65`	`+ {`
	`66`	`+ credential = new DefaultAzureCredential();`
	`67`	`+ }`
	`68`	`+ else`
	`69`	`+ {`
	`70`	`+ credential = new ManagedIdentityCredential(_configuration.ClientId);`
	`71`	`+ }`
`67`	`72`	`}`
`68`	`73`	`else`
`69`	`74`	`{`
`70`		`- _clientAssertionCertificate = new ClientAssertionCertificate(_configuration.ClientId, _configuration.Certificate);`
`71`		`- return new KeyVaultClient(GetTokenAsync);`
	`75`	`+ credential = new ClientCertificateCredential(_configuration.TenantId, _configuration.ClientId, _configuration.Certificate);`
`72`	`76`	`}`
	`77`	`+ return new SecretClient(GetKeyVaultUri(_configuration), credential);`
`73`	`78`	`}`
`74`	`79`
`75`		`- private async Task<string> GetTokenAsync(string authority, string resource, string scope)`
	`80`	`+ private Uri GetKeyVaultUri(KeyVaultConfiguration keyVaultConfiguration)`
`76`	`81`	`{`
`77`		`- var authContext = new AuthenticationContext(authority);`
`78`		`- var result = await authContext.AcquireTokenAsync(resource, _clientAssertionCertificate, _configuration.SendX5c);`
`79`		`-`
`80`		`- if (result == null)`
`81`		`- {`
`82`		`- throw new InvalidOperationException("Bearer token acquisition needed to call the KeyVault service failed");`
`83`		`- }`
`84`		`-`
`85`		`- return result.AccessToken;`
	`82`	`+ var uriString = $"https://{keyVaultConfiguration.VaultName}.vault.azure.net/";`
	`83`	`+ return new Uri(uriString);`
`86`	`84`	`}`
`87`	`85`	`}`
`88`		`-`
`89`	`86`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,9 @@`
`3`	`3`
`4`	`4`	`using System;`
`5`	`5`	`using System.Threading.Tasks;`
`6`		`-using Microsoft.Azure.KeyVault;`
`7`		`-using Microsoft.Azure.KeyVault.Models;`
	`6`	`+using Azure.Core;`
	`7`	`+using Azure.Identity;`
	`8`	`+using Azure.Security.KeyVault.Secrets;`
`8`	`9`
`9`	`10`	`namespace NuGet.Services.KeyVault`
`10`	`11`	`{`
`@@ -19,16 +20,10 @@ public async Task SetSecretAsync(`
`19`	`20`	`string secretValue,`
`20`	`21`	`DateTimeOffset? expiration = null)`
`21`	`22`	`{`
`22`		`- SecretAttributes attributes = null;`
`23`		`- if (expiration.HasValue)`
`24`		`- {`
`25`		`- attributes = new SecretAttributes`
`26`		`- {`
`27`		`- Expires = expiration.Value.UtcDateTime,`
`28`		`- };`
`29`		`- }`
	`23`	`+ var secret = new Azure.Security.KeyVault.Secrets.KeyVaultSecret(secretName, secretValue);`
	`24`	`+ secret.Properties.ExpiresOn = expiration;`
`30`	`25`
`31`		`- await KeyVaultClient.SetSecretAsync(VaultBaseUrl, secretName, secretValue, secretAttributes: attributes);`
	`26`	`+ await KeyVaultClient.SetSecretAsync(secret);`
`32`	`27`	`}`
`33`	`28`	`}`
`34`	`29`	`}`