page_type | languages | products | description | urlFragment | ||||
---|---|---|---|---|---|---|---|---|
sample |
|
|
How to set and get secrets from Azure Key Vault with Azure Managed Identities and Node.js. |
get-set-keyvault-secrets-managed-id-nodejs |
In this sample, you will find the following folders:
- v3 - uses azure-keyvault, the legacy package for Key Vault Secrets
- v4 - uses @azure/keyvault-secrets, the latest package for Key Vault Secrets
We strongly recommend using the latest packages in your projects. For more samples using the latest Key vault packages, see
- JavaScript samples for Key Vault secrets
- JavaScript samples for Key Vault keys
- JavaScript samples for Key Vault certificates
This sample will show how a Web App gets a secret at runtime from Azure Key Vault using a developer account during development, and using Azure Managed Identities when deployed to Azure, without any code changes between local development environment and Azure. As a result, you don't have to explicitly handle a service principal credential to authenticate to Azure AD to get a token to call Key Vault. You also don't have to worry about renewing the service principal credential either, since Azure Managed Identities takes care of that.
To run and deploy this sample, you need the following:
- Node.js
- Git
- An Azure subscription to create a Key Vault and other services, such as App Service, used in this sample.
- An App registration to authenticate.
If you don't have an Azure subscription or App registration, create a free account or App registration before you begin.
- Create an Azure Key Vault from Azure Portal.
- Add a secret.
From the Azure Portal, go to the Key Vault's access policies, and grant yourself Secret Management access to the Key Vault. This will allow you to run the application on your local development machine.
- On your Key Vault Settings pages, Select Access policies.
- Click on Add Access Policy.
- Set Configure from template (optional) to Secret Management.
- Click on Select Principal, add your App registration.
- Click on Add.
- Click on Save to save the Access Policies.
-
Clone the repository.
git clone https://github.com/Azure-Samples/azure-sdk-for-js-keyvault-secrets-get-nodejs-managedid.git
-
Run the following command to install dependencies for "SDK version 3" and "SDK version 4":
- SDK version 4
cd v4 npm install
- SDK version 3
cd v3 npm install
-
Set up the following environment variables or replace these variables in the index.js file.
Linux
export KEY_VAULT_URL = "<YourKeyVaultUrl>" export SECRET_NAME = "<YourSecretName>" export SECRET_VERSION = "<YourSecretVersion>" export AZURE_TENANT_ID = "<YourTenantId>" export AZURE_CLIENT_ID = "<YourClientId>" export AZURE_CLIENT_SECRET = "<YourClientSecret>"
Windows
setx KEY_VAULT_URL "<YourKeyVaultUrl>" setx SECRET_NAME "<YourSecretName>" setx SECRET_VERSION "<YourSecretVersion>" setx AZURE_TENANT_ID "<YourTenantId>" setx AZURE_CLIENT_ID "<YourClientId>" setx AZURE_CLIENT_SECRET "<YourClientSecret>"
-
Run the sample.
node index.js
-
Create a Node.js Web App in Azure.
-
Set environment variables in the Settings > Configuration > Application Settings of your Web App. You can also change the value of the variables from
null
in the index.js file. -
This repository is ready to be deployed using local git. Read this tutorial to get more information on how to push using local git through portal.
- Access denied
The principal used does not have access to the Key Vault. The principal used in show on the web page. Grant that user (in case of developer context) or application Get secret access to the Key Vault.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.