Reputation: 5836
Access Azure App Configuration Settings that Reference Key Vault in nodejs
For an Azure function, running on Linux, using Node.js runtime v14,
I want to read app configuration using @azure/app-configuration,
when some config values are cleartext, but others are connection strings to keyvault.
My colleague, writing in C#, is using the ConfigureKeyVault method on AzureAppConfigurationOptions to configure the Azure App Configuration SDK to automatically parse, fetch, and decode secrets from their connections strings.
I'd like to do the same in nodejs, but did not find a similar method in the API docs
Will I have to do something like this?
async function getConfig(key: string): Promise<string> {
const maybeConnectionString = await appConfigurationClient.getConfigurationSetting({ key });
if (maybeConnectionString.startsWith('@Microsoft.KeyVault'))
return await keyVaultClient.getSecret(maybeConnectionString);
else
return maybeConnectionString;
}
Upvotes: 2
Views: 2063
Answers (2)
Reputation: 14080
Below code can work:
Import modules:
import { SecretClient } from "@azure/keyvault-secrets";
import { DefaultAzureCredential } from "@azure/identity";
Logic to get secret:
let vaultUrl = `https://yourkeyvaultname.vault.azure.net/`;
let credentials = new DefaultAzureCredential();
let client = new SecretClient(vaultUrl, credentials);
let secret_value = (await client.getSecret("yoursecretname")).value
And I notice you mentioned tag 'azure-function', so there is no need to use key-vault SDK. You can add this to the configuration settings of function app(this only work after function app been deployed to azure.):
@Microsoft.KeyVault(SecretUri=<secret identifier>)
Then create a function app identity, and let the function identity access have the corresponding access policy to the keyvault. After that, you can get the secret by simply accessing environment variables.
Upvotes: 1
Reputation: 1533
Benny Powers, yes, you are right. To use Key Vault reference in Node.js, you will have to fetch the key-value, parse the value for the secret identifier, and then retrieve the actual secret from the Key Vault. This has been implemented as part of the .NET config provider as you mentioned, but you will have to do this if you are using the JS SDK.
In terms of implementation, you should first check whether the key-value has content-type of application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8. If so, it means this key-value is a Key Vault reference. Then you can parse the value. The value is in JSON format, something like {"uri":"https://xxxxxx.vault.azure.net/secrets/....."}. What the uri points to is the secret identifier. Once you have the secret identifier, you can fetch the actual secret by using the Key Valut client like you did.
Upvotes: 3
Related Questions
- How to extract Secret key from Azure key vault in Azure Function App on Nodejs stack
- App Settings config section from Azure Key Vault
- Access to azure app setting environment variables from nodejs
- How To Retrieve a Secret From Azure Key Vault Node
- Get Secret from Azure Keyvault using nodejs
- Access to Azure Key Vault reference value from App Configuration in development on local
- How to access Key Vault with Azure Managed Service Identity in node?
- Key Vault Settings in Azure App Settings with no code
- Key Vault secrets during Kudu deployments for a node.js app in Azure App Service
- Get App Settings Using Azure Node SDK