Azure Key Vault in NodeJS

delacruzjl
Date : 5/24/2023
Categories : Development , Libraries
Tags : nodejs , azure , javascript , secrets , api , security

Looking over the Internet for ways to access Azure Key Vault from NodeJS I stumbled upon very complex samples, how to Read/Write/Delete secrets to the vault.

While they are all very useful most often than not I just need to get secrets from the Key vault to perhaps access a database connection string and forget the vault is even there.

I created a simple NodeJS API leveraging the official Azure NPM packages to read the key vault values and access data from a MYSQL database.

The packages for Azure have changed recently for NPM, for these application I used:

express (just for testing, a web framework to host the API): https://www.npmjs.com/package/express
@azure/identity: https://www.npmjs.com/package/@azure/identity
@azure/keyvault-secrets: https://www.npmjs.com/package/@azure/keyvault-secrets
mysql (just for testing that I successfully retrieved the correct secrets): https://www.npmjs.com/package/mysql

Express-npm helps me with web routing and content negotiation, you can refer to their web site for how it works.

Credentials

The first thing you need to do is getting credentials for your key vault, you can accomplish it by creating a ClientCertificateCredential and pass your tenantId, clientId and secret, the documentation is outstanding, you can refer to the URL above for more detail. Another way is to create environment variables to keep these secrets out of source control and instantiate a DefaultAzureCredential object.

const { DefaultAzureCredential } = require("@azure/identity");

    // DefaultAzureCredential expects the following three environment variables:
    // * AZURE_TENANT_ID: The tenant ID in Azure Active Directory
    // * AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant
    // * AZURE_CLIENT_SECRET: The client secret for the registered application

    const credential = new DefaultAzureCredential();

Client Object

The credential variable built as a result of the Azure Credentials can be used along with the Azure Key Vault URL to build the client, after this it's very straight forward to retrieve data from the vault.

    const url = `https://${vaultName}.vault.azure.net`;    
    // Lastly, create our secrets client and connect to the service
    const client = new SecretClient(url, credential);

Retrieve

The client.getSecret method receives a secret name from parameter and returns a promise with an object containing the desired value. I like to use async/await instead of wiring the promise then/catch methods because it makes the code cleaner, but either way works.

One thing I was not able to find is a way to pass an array of names to retrieve specific values, this example in particular unfortunately is making 4 separate calls to AKV to get the db host, user, password and db name. If I find an updated way of doing this I will be making the change here.

    const kvHost = await client.getSecret('mysql-host')
    const kvUser = await client.getSecret('mysql-user')
    const kvPwd = await client.getSecret('mysql-password')
    const kvDb = await client.getSecret('mysql-db')

You can view the rest of the code on my github page at: https://github.com/delacruzjl/nodejs-keyvault-mysql

Happy coding!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.