0

How can I retrieve an API-secret-key from Azure Key Vault URI (https://.vault.azure.net/secrets/Example ) and pass it to apiKey var in pure javascript code, not in node.js? Can I use something like this:

var authorizationEndpoint = "https://<keyvault- 
name>.vault.azure.net/secrets/Eg";
function RequestAuthorizationToken() {
if (authorizationEndpoint) {
    var a = new XMLHttpRequest();
    a.open("GET", authorizationEndpoint);
    a.setRequestHeader("Authorization", "Bearer " + accessToken);
    a.setRequestHeader("Content-Type", "application/json");
    a.onload = function () {
        var response = JSON.parse(xhr.responseText);
        window.apiKey = response.value;
                };
    a.send();
 }
}
backnext
  • 249
  • 1
  • 2
  • 14
  • Are you getting any errors when you use the above code? – Sridevi Feb 03 '23 at 06:36
  • Uncaught ReferenceError: accessToken is not defined – backnext Feb 03 '23 at 15:36
  • In the meantime I have understood that this cannot be done in a safe way. But without making the move to Node.js I think it might be possible with a little php. Here : https://github.com/wapacro/az-keyvault-php I found a workaround: Azure Key Vault Library. Is this a possible solution? I am not very familiar with php and composer... – backnext Feb 03 '23 at 15:42

1 Answers1

0

I tried to reproduce the same in my environment via Postman and got below results:

I have one secret named srisecret in my key vault like below:

enter image description here

I registered one Azure AD application and added API permission for key vault like below:

enter image description here

Make sure to give get secret permission for your service principal in keyvault access policies like below:

enter image description here

Now, I generated one access token via Postman to access Key vault with below parameters:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

grant_type:client_credentials
client_id: <appID>
client_secret: <secret_value>
scope: https://vault.azure.net/.default

Response:

enter image description here

When I used above token to get keyvault secret, I got it successfully like below:

GET https://keyvaultname.vault.azure.net/secrets/<secretname>/<secretversion>?api-version=7.3
Authorization: Bearer <token>

Response:

enter image description here

Alternatively, you can use below c# code in fetching key vault secret:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

namespace KVSecret
{
    class Secret
    {
        static void Main(string[] args)
        {
            const string clientId = "appID";
            const string tenantId = "tenantID";
            const string clientSecret = "secret";
            var credentials = new ClientSecretCredential(tenantId, clientId, clientSecret);
            var client = new SecretClient(new Uri("https://yourkvname.vault.azure.net"), credentials);
            var secret = client.GetSecretAsync("yoursecretname").GetAwaiter().GetResult();
            Console.WriteLine(secret.Value.Value);
        }
    }
}

Response:

enter image description here

The mentioned php link in comments is for fetching keyvault secrets via managed identities.

For this, you need to enable system-assigned managed identity like below:

enter image description here

You need to give get secret permission to this managed identity by creating access policy like below:

enter image description here

Now, you can run below php code by installing az-keyvault-php package:

$secret = new AzKeyVault\Secret('https://yourkvname.vault.azure.net');
$value = $secret->getSecret('yoursecretname');
echo $value->secret;
Sridevi
  • 10,599
  • 1
  • 4
  • 17