stackoom
  简体   繁体   中英

Why do I need a tenant when using @azure/keyvault-keys with @azure/identity, but not when using azure-keyvault?

 原文  2020-04-09 05:57:02       node.js/ azure-keyvault

Question

I was using azure-keyvault but it's now deprecated. I'm using for encrypting and decrypting stuff. All I needed to operate was clientId, clientSecret and the key identifier.

Because now azure-keyvault is deprecated I switched to @azure/keyvault-keys / @azure/identity . For this I need a tenant ( ClientSecretCredential ) which I previously didn't need. Why is that or is there a way to not needing it?

1 answers

solution1
 2  2020-04-15 08:51:00

When using a ClientSecretCredential , because a service principal belongs to a particular tenant, you have to specify that tenant rather than it coming back in a callback like the older code.

There are many different credential types, but our recommendation is to use DefaultAzureCredential which supports MSI, environment credentials (service principal using $AZURE_TENANT_ID , $AZURE_CLIENT_ID , and $AZURE_CLIENT_SECRET ), and interactive browser login for most languages - soon with more credentials like azure CLI and Visual Studio. With support for azure CLI, that provides parity with the older packages like you used and then some. Just by using DefaultAzureCredential you get all that and it supports different environments by default, so you don't have to change your code to use different credentials for dev, staging, or production environments.

So like in the referenced example, you just instantiate a DefaultAzureCredenial and thats it. If you have your service principal environment variables defined, they will be used if Managed Identity (MSI) wasn't detected.

import { SecretClient } from '@azure/keyvault-secrets';
import { DefaultAzureCredential } from '@azure/identity';
import { CosmosClient } from '@azure/cosmos';

const keyVaultUrl = process.env('APP_KEY_VAULT_URI');
const credential = new DefaultAzureCredential();
let storageClient;
let cosmosClient;

async function configureClients() {
    const kvClient = new SecretClient(keyVaultUrl, credential);
    const storageUri = await client.getSecret('storageUri');
    const cosmosDbConnectionString = await client.getSecret('cosmosDb');

    cosmosClient = new CosmosClient(cosmosDbConnectonString);
    storageClient = new BlobServiceClient(storageUri, credential);

The order of credentials is optimized for production workloads, but supports developer machines - pretty close to the order I listed them above.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Get Secret from Azure Keyvault using nodejs nodejs azure keyvault certificate Why is Azure KeyVault getSecret returning Promise <pending>? Azure keyvault, request for multiple secrets Pull data from azure keyvault with node Get correct pfx file from Azure keyvault in Node.js Getting a secret from azure keyvault with node from a linux vm with MSI Azure: delete Table using Azure REST API do not work when done as per documentation Azure: Table acl GET using Azure REST API do not work when done as per documentation Azure Sql connection using access token from Azure Identity with nodejs
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM