使用 nodejs 从 Azure Keyvault 获取秘密

Question

I need to read the list of users in the Azure active directory. The client has created a Graph API application but they do not want to share the client secret of the application, instead they asked us to use the Key vault. How to access from the node.js application the key to retrieve the list of users?

I tried the below one but gave error and I am not sure how to authenticate.

const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");

const credential = new DefaultAzureCredential();

const vaultName = "lsm-keyvault";
const url = `https://${vaultName}.vault.azure.net`;

const client = new SecretClient(url, credential);

const secretName = "Demo";

async function main() {
  const result = await client.setSecret(secretName, "MySecretValue", {
    enabled: false
  });

  console.log(result)
}

Answer 1

Well, if you run the code in local, the DefaultAzureCredential will use the environmental variables automatically.

So in your case, you need to register an application with Azure AD , and get the tenant id , client id(ie application id) , client secret(ie application secret) , set the environmental variables , AZURE_CLIENT_ID , AZURE_CLIENT_SECRET , and AZURE_TENANT_ID .

For the 403 error you got, I notice you said It added as a compound entity , based on my experience, you did not add the correct service principal related to the AD App correctly to the Access policies of the keyvault. If you add it correctly, it will appear as APPLICATION , not COMPOUND IDENTITY .

So when you add it, you could search for the client Id(ie application Id) or the name of your App Registration directly, make sure you add the correct one. I gave the details in this similar issue , you could refer to it.

To retrieve the secret , the Get permission is enough, the code should be

const retrievedSecret = await client.getSecret(secretName);

I notice you use client.setSecret in your code, it is used to save a secret , to use it, you may need the Set permission.

For more details, see Quickstart: Azure Key Vault client library for Node.js (v4) .

Update:

I have to eventually need to deploy this but not in azure but in another environment. How do I set the environment variables and access it.

If so, you need to change your code to authenticate, use the three values directly in the code.

Change the lines

const { DefaultAzureCredential } = require("@azure/identity");
const credential = new DefaultAzureCredential();

To

const { ClientSecretCredential } = require("@azure/identity");
const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);

See - https://www.npmjs.com/package/@azure/identity/v/1.0.3#authenticating-as-a-service-principal

Answer 2

All you need to do is follow the below steps:

• Create an App in the Azure Active Directory (Service Principal) from App Registrations.
• Go to Key Vault resource, Access Policy blade, assign read access to this Azure AD App (Service Principal) that we created in the above step.
• Set these 3 Environment variables AZURE_CLIENT_ID , AZURE_TENANT_ID , and AZURE_CLIENT_SECRET in your App Service. Get the values of these variables from the app that we created in step 1.
• Use DefaultAzureCredential that we are already using now. This will automatically pick the credentials from the environment variables that we defined in App Service for the authentication.

Another way is to obtain Key Vault token dynamically and use that token to get the secrets from the Key Vault - https://docs.microsoft.com/en-us/samples/azure-samples/app-service-msi-keyvault-node/app-service-msi-keyvault-node/

Helpful Reference:

• https://www.rahulpnath.com/blog/defaultazurecredential_from_azure_sdk/