在本地开发时，如何将 @azure/identity 与来自“az login”而不是服务帐户的 DefaultCredentials 一起使用？

Question

Not sure if this is already possible somehow or there's a different 'flow' that's expected and makes sense which I have yet to discover.

We use @azure/keyvault-secrets + @azure/identity to access/manage all our secrets/keys across our applications and development environments.

In production environments it's easy as we can either associate service accounts with app services directly or just create a service account and set it in the environmental variables then never touch it.

Locally though, for development purposes, it's not ideal to have to get the secret keys/configuration for the app we're working on, it would be ideal to be able to use the account credentials from azure cli to retreive the secrets based on the developer working on the app and what they have access to, so that we can enforce mfa on their account and manage access to keys solely for their user account and so on.

Does the @azure/identity module currently support this behaviour? if not, is there a recommended behaviour for this use-case besides just configuring the service accounts for each app within the dev. environment?

Answer 1

According to my understanding, you want to use azure cli creds to get Azure key vault secret. If so, you can use the sdk @azure/ms-rest-nodeauth . For moe details, please refer to https://github.com/Azure/azure-sdk-for-node/issues/2284 . The detailed steps are as below.

1. Create protect with VS code

npm init -y
npm install @azure/ms-rest-nodeauth
npm install @azure/keyvault

2. Login in Azure with Azure CLI

az login

3. Code

var azure = require('@azure/ms-rest-nodeauth')
var keyvault = require('@azure/keyvault')

async function main() {
    const creds = await azure.AzureCliCredentials.create({ resource: "https://vault.azure.net" })


        const client = new keyvault.KeyVaultClient(creds)
        const secret = await client.getSecret('https://testkey08.vault.azure.net', 'test', '517cc458b7464c379d1d3e85bd2a5c94')
         console.log(secret)
}

main()
  .then(() => {
    console.log("Successfully executed sample.");
  })
  .catch((err) => {
    console.log(err.message);
  });

---

Update

According to my test, if you use sdk @azure/keyvault-secrets to get the key vault secret, please refer to the following code:

var azure = require('@azure/ms-rest-nodeauth')
var keyvault = require('@azure/keyvault-secrets')

async function main() {
    const creds = await azure.AzureCliCredentials.create({ resource: "https://vault.azure.net" })



        const client = new keyvault.SecretClient('https://<your key vault name>.vault.azure.net',creds)
        const secret = await client.getSecret('your secret name')
         console.log(secret)
}

main()
  .then(() => {
    console.log("Successfully executed sample.");
  })
  .catch((err) => {
    console.log(err.message);
  });

Besides, according to my test and research, if we use the sdk @azure/keyvault-secrets and @azure/keyvault-secrets , we have no way to use the account credentials from azure cli to retreive the secrets. For more details, please refer to the document

So if we want to develop your application on local, I suggest you create a service principal to get the key vault. The detailed steps are as below

1. create sp

az ad sp create-for-rbac -n <your-application-name> --skip-assignment
az keyvault set-policy --name <your-key-vault-name> --spn $AZURE_CLIENT_ID --secret-permissions backup delete get list purge recover restore set

2. create.env file

AZURE_TENANT_ID=<tenant id>
AZURE_CLIENT_ID=<app id>
AZURE_CLIENT_SECRET=<password>

3. code

var keyvault = require('@azure/keyvault-secrets')
var azure1 = require('@azure/identity')
const dotenv = require('dotenv');
dotenv.config();
async function main() {
    //const creds = await azure.AzureCliCredentials.create({ resource: "https://vault.azure.net" })


        // console.log("way1")
        // const client = new keyvault.SecretClient('https://testkey08.vault.azure.net',creds)
        // const secret = await client.getSecret('test')
        // //const secret = await client.getSecret('https://testkey08.vault.azure.net', 'test', '517cc458b7464c379d1d3e85bd2a5c94')
        //  console.log(secret)
         console.log("-----------------------")
         console.log("way2")
         const creds1 = new  azure1.DefaultAzureCredential()


          const client1 = new keyvault.SecretClient('https://testkey08.vault.azure.net',creds1)
          const secret1 = await client1.getSecret('test')
          console.log(secret1)
}

main()
  .then(() => {
    console.log("Successfully executed sample.");
  })
  .catch((err) => {
    console.log(err.message);
  });