This is a follow up article to:

ECM Plugin Tutorial – Azure Key Vault - PRA and Remote Support

Capabilities

Deploy the ECM Plugin for Azure Key Vault as a Docker Container
Leverage Environment Variables for configuration
Use portainer.io add-on/web UI for Docker

IMPORTANT: This solution should not be used in Production and is intended to be used for testing only.

Disclaimer

The Endpoint Credential Manager (ECM) Software Development Kit

Allows developers to create Custom ECM Plugins. The SDK comes with a Plugin example, which has been used as a starting point to create a new Plugin.

Any sample or proof of concept code (“Code”) provided on the Community is provided “as is” and without any express or implied warranties. This means that we do not promise that it will work for your specific needs or that it is error-free. Such Code is community supported and not supported directly by BeyondTrust, and it is not intended to be used in a production environment. BeyondTrust and its contributors are not liable for any damage you or others might experience from using the Code, including but not limited to, loss of data, loss of profits, or any interruptions to your business, no matter what the cause is, even if advised of the possibility of such damage.

Publish the Plugin application

Once we confirmed that the Plugin is working with Debug, we can publish the application by executing this command at the root of the project:
**dotnet publish -c Release .\ExamplePlugin.csproj**

After publishing the application, we should see a new Release subfolder under the application root.

Note: For this post, we are using a Linux host to run Docker. Portainer can be added as a container by following the instructions here: https://docs.portainer.io/

We need to copy the .cs and .csproj files to subfolder on the Linux/Docker host for the Plugin.

We need to create a Dockerfile and modify the ExamplePlugin.csproj file.

Dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:8.0@sha256:35792ea4ad1db051981f62b313f1be3b46b1f45cadbaa3c288cd0d3056eefb83 AS build-env
WORKDIR /SRA_AzureKeyVault

# Copy everything
COPY . ./
COPY /lib/*.dll ./lib/
COPY  "/lib/BeyondTrustECMSDK.dll", "/lib"]
COPY M"/lib/BeyondTrustECMService.dll", "/lib"]
# Restore as distinct layers
RUN dotnet restore
# Build and publish a release
RUN dotnet publish -c Release -o out

# Build runtime image
FROM mcr.microsoft.com/dotnet/aspnet:8.0@sha256:6c4df091e4e531bb93bdbfe7e7f0998e7ced344f54426b7e874116a3dc3233ff
ENV Tenant="myTenant.onmicrosoft.com"
ENV Vault="myVault"
ENV OAuthClientId="12345"
ENV OAuthClientSecret="abcde"
ENV SRASiteHostname="myInstance.beyondtrustcloud.com"
ENV SRAClientId="12345"
ENV SRAClientSecret="abcde"
WORKDIR /SRA_HashicorpVault
COPY --from=build-env /SRA_AzureKeyVault/out .
ENTRYPOINT y"dotnet", "ExamplePlugin.dll"]

ExamplePlugin.csproj:

<Project Sdk="Microsoft.NET.Sdk.Worker">

  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
    <UserSecretsId>dotnet-ExamplePlugin-a620ada8-83c6-4c7a-8df7-edda1c5e47af</UserSecretsId>
    <RootNamespace>MyCompany.Integrations.ExamplePlugin</RootNamespace>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Azure.Identity" Version="1.13.1" />
    <PackageReference Include="Microsoft.Bcl.Cryptography" Version="9.0.0" />
    <PackageReference Include="Microsoft.Extensions.Hosting" Version="9.0.0" />	
    <PackageReference Include="Microsoft.Extensions.Hosting.WindowsServices" Version="9.0.0" />	
    <PackageReference Include="Microsoft.Extensions.Logging" Version="9.0.0" />	
    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />	
    <PackageReference Include="System.ComponentModel.Composition" Version="9.0.0" />	
    <PackageReference Include="System.Formats.Asn1" Version="9.0.0" />
    <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="9.0.0" />
    <PackageReference Include="System.Configuration.ConfigurationManager" Version="9.0.0" />
    <PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" Version="9.0.0" />
    <PackageReference Include="System.DirectoryServices" Version="9.0.0" />
    <PackageReference Include="System.Runtime.Caching" Version="9.0.0" />
    <PackageReference Include="System.Security.Cryptography.Pkcs" Version="9.0.0" />
    <PackageReference Include="System.ServiceModel.Primitives" Version="8.1.1" />
    <PackageReference Include="System.ServiceProcess.ServiceController" Version="9.0.0" />
  </ItemGroup>

  <ItemGroup>
    <Folder Include="lib\" />
  </ItemGroup>

  <ItemGroup>
    <Reference Include="BeyondTrustECMSDK">
      <HintPath>lib/BeyondTrustECMSDK.dll</HintPath>
    </Reference>
  </ItemGroup>

  <ItemGroup>
    <Reference Include="BeyondTrustECMService">
      <HintPath>lib/BeyondTrustECMService.dll</HintPath>
    </Reference>
  </ItemGroup>

  <Target Name="PostBuild" AfterTargets="PostBuildEvent">
    <ItemGroup>
	<DataFiles Include="$(ProjectDir)..\lib\*.*"/>
    </ItemGroup>
    <Copy
	SourceFiles="@(DataFiles)"
	DestinationFolder="$(TargetDir)\lib\"
	SkipUnchangedFiles="true"/>
  </Target>

</Project>

Note that the xcopy command does not exist on Linux, hence the .csproj file needs to use a different section to copy the files.

We need to create a subdirectory called lib and copy the SDK and runtime libraries.

We need to copy the publish subdirectory to the Plugin folder.

Note: For this post, we use Environment Variables for our configuration Sources. The ECM SDK Plugin Example also includes for appsettings.json and it is recommended that a secure Configuration Source be used for Production.

We need to create a .env file with our Environment Variables for the config:

Tenant=myTenant.onmicrosoft.com
Vault=myVault
OAuthClientId=abcdef
OAuthClientSecret=12345
SRASiteHostname=myInstance.beyondtrustcloud.com
SRAClientId=abcdef
SRAClientSecret=123456

Now we can build the image for Docker with this command:

docker build -t sra-ecm-awssecretsmanager -f Dockerfile .