0

In C# I can use AzureServiceTokenProvider which allows me to access an Azure Key Vault in a number of ways. If I'm running locally it will use my credentials, if I'm running in Azure it will use MSI, it will look for environment variables, etc. It's really nice, as I don't need to write code to handle running in a variety of environments with different authentication mechanisms.

I can't seem to find something like this for node. It looks like I have to write code to do interactive login, MSI, environment variables, etc. Is there something like AzureServiceTokenProvider for node? Something that handles a variety of auth scenarios?

Erick T
  • 7,009
  • 9
  • 50
  • 85
  • Any process now? – Joey Cai Dec 03 '19 at 01:47
  • I'm afraid not. I'm planning to manually do the fallback work. – Erick T Dec 03 '19 at 23:53
  • With the new Azure SDKs, you can use DefaultAzureCredential, which internally searches for Environment variables, then Managed Identity, then dev tools (VS), then Interactive Browser. You can read more here: https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/identity/identity – Jon Gallant Mar 07 '20 at 13:58

2 Answers2

1

Using the loginWithAppServiceMSI() method from ms-rest-azure will autodetect if you're on a WebApp and get the token from the MSI endpoint. Then, the code is simply:

    function getKeyVaultCredentials(){
        return msRestAzure.loginWithAppServiceMSI({resource: 'https://vault.azure.net'});
    }

    function getKeyVaultSecret(credentials) {
        let keyVaultClient = new KeyVault.KeyVaultClient(credentials);
        return keyVaultClient.getSecret(KEY_VAULT_URI, 'secret', "");
    }

    getKeyVaultCredentials().then(
        getKeyVaultSecret
    ).then(function (secret){
        console.log(`Your secret value is: ${secret.value}.`);
    }).catch(function (err) {
        throw (err);
    });

If you need a fallback mechanism to allow this code to switch automatically from MSI to another approach, you can test for environment variables:

function getKeyVaultCredentials(){
  if (process.env.APPSETTING_WEBSITE_SITE_NAME){
    return msRestAzure.loginWithAppServiceMSI({resource: 'https://vault.azure.net'});
  } else {
    return msRestAzure.loginWithServicePrincipalSecret(clientId, secret, domain);
  }
}
Joey Cai
  • 18,968
  • 1
  • 20
  • 30
1

The older package azure-keyvault would require you to use the ms-rest-azure package to create the credential/token-provider with no fallback option.

azure-keyvault has now been deprecated in favor of the new packages to deal with Keyvault keys, secrets and certificates separately via @azure/keyvault-keys, @azure/keyvault-secrets and @azure/keyvault-certificates respectively.

These packages take credentials from the new @azure/identity package. One of the credential is the DefaultAzureCredential which has the fallback mechanism you are looking for. See the readme for @azure/identity for more details

Ramya Rao
  • 111
  • 5