Access Azure KeyVault Secrets Through Nodejs Application

Azure Key Vault is a cloud-based service that allows users to securely store and manage sensitive information, such as passwords, keys, and certificates. This allows for a more secure and efficient way to manage and access sensitive information in a cloud environment.

In this article, we will discuss how to access these secrets through a Node.js application. We will cover how to set up an Azure Key Vault, how to authenticate with it, and how to retrieve and use the secrets in your application. By the end of this article, you will have a better understanding of how to use Azure Key Vault to secure and manage your application's sensitive information.

Table of Contents

1. Create Nodejs server
2. Create Azure Key Vault
3. Add secrets to key Vault
4. Add secrets from CLI
5. Register app in Azure Active Directory
6. Add Access Policies to key Vault
7. Reveal secrets in Nodejs application

1. Create Nodejs server

1. Create the directory and run npm init -y in the command prompt
2. Open that directory in VSCode using typing code . in the command prompt
3. Open vs code terminal and install the following

npm install express --save 
npm install nodemon --save-dev

Nodemon is a tool that automatically restarts a Node.js application when changes are made to the code. This can save developers time and effort by eliminating the need to manually stop and start the application each time a change is made.

1. Create an index.js file and paste the following code

const express = require('express');
const app = express();
const port = 3000;

app.get('/', (req, res) => {
  res.send('Hello World!');
});

app.listen(port, () => {
  console.log(`Example app listening on port ${port}`);
});

1. In your terminal (which should be in the project directory), type nodemon index.js and hit the Enter button.

1. Open a new tab in postman or any web browser and the address bar, type http://localhost:3000, and hit the Enter button

Now the Node server is up and running...

2. Create Azure key vault

1. Sign in to the Azure portal at https://portal.azure.com

2. To set up a Key Vault in Azure:

3. Open the Azure portal and select "Create a resource" from the menu or Home page.

4. Search for "Key Vault" and select it from the results.

5. Click on "Create" in the Key Vault section.

6. In the "Create key vault" section, enter a unique name for the vault (e.g. "nodejsazurekeyvault") A vault's name must be between 3-24 alphanumeric characters. The name must begin with a letter, end with a letter or digit, and not contain consecutive hyphens, select a subscription and create a new resource group.

7. Pick a location and keep the other options unchanged.

8. Click on "Create" to finalize the setup.

3. Add secrets to key Vault

1. Click secrets in the left panel
2. Click Generate/Import at top of the page
3. Add a secret name, and value
4. Toggle enables to yes
5. Click Create

4. Add secrets from CLI

1. Install Azure CLI Download
2. Run these commands in the PowerShell window

az login

az keyvault secret set --vault-name "<your-unique-keyvault-name>" --name "MultilineSecret" --file "secretfile.txt"

5. Register the app in Azure Active Directory

1. Navigate to Azure Active Directory
2. Click App registrations on the left panel
3. Click New Registration
4. Enter the app name and platform to Web
5. Register

1. Click certificates and secrets
2. New client's secret
3. Add a description and set the expiry date
4. Add
5. Copy the value and keep it for future

6. Add app to key Vault

1. Navigate to the Key Vault
2. Click Access Policies in the left panel

If access policies don't appear. Navigate to access configuration and select vault access policy. And apply.

1. Create
2. Select Secret Management from the template dropdown

1. Next
2. Select keyvaultapp

1. Next
2. Create

7. Reveal secrets in Nodejs application

1. Go to index.js
2. Open vs code terminal and install the following

npm install @azure/identity
npm install @azure/keyvault-secrets
npm install dotenv

1. Create a .ENV file and add the following code

KEYVAULT_URI=<"key vault URL">
AZURE_TENANT_ID=<"registered app in azure active directory">
AZURE_CLIENT_ID=<"registered app in azure active directory">
AZURE_CLIENT_SECRET=<"previously copied value">

1. Add this code to index.js

require("dotenv").config();
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const client = new SecretClient(process.env.KEYVAULT_URI, credential);

1. Create a separate route and add this code (single line secret)

app.get("/secret", (req, res) => {
  client
    .getSecret("testsecret")
    .then((data) => {
      res.send(data.value);
    })
    .catch((error) => {
      console.log(error);
      res.send(error);
    });
});

1. In your terminal (which should be in the project directory), type nodemon index.js and hit the Enter button.
2. Open a new tab in postman or any web browser and the address bar, type http://localhost:3000/secret, and hit the Enter button

1. Create a separate route and add this code (multi-line secret)

app.get("/multilinesecret", (req, res) => {
  client
    .getSecret("MultilineSecret")
    .then((data) => {
      const parsedSecret = JSON.parse(data.value);
      res.json(parsedSecret);
    })
    .catch((error) => {
      console.log(error);
      res.send(error);
    });
});

1. In your terminal (which should be in the project directory), type nodemon index.js and hit the Enter button.

2. Open a new tab in postman or any web browser and the address bar, type http://localhost:3000/multilinesecret, and hit the Enter button

Complete Code

const express = require("express");
const app = express();
const port = 3000;

require("dotenv").config();
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const client = new SecretClient(process.env.KEYVAULT_URI, credential);

app.get("/", (req, res) => {
  res.send("Hello World!");
});

app.get("/secret", (req, res) => {
  client
    .getSecret("testsecret")
    .then((data) => {
      res.send(data.value);
    })
    .catch((error) => {
      console.log(error);
      res.send(error);
    });
});

app.get("/multilinesecret", (req, res) => {
  client
    .getSecret("MultilineSecret")
    .then((data) => {
      const parsedSecret = JSON.parse(data.value);
      res.json(parsedSecret);
    })
    .catch((error) => {
      console.log(error);
      res.send(error);
    });
});

app.listen(port, () => {
  console.log(`Example app listening on port ${port}`);
});

Source Code

GitHub

Thank you.

Comments

[Lakin Mohapatra]

Access policiies not showing me under key vault. can you advise ?

[Dileepa Mabulage]

If access policies don't appear. Navigate to access configuration and select vault access policy. And apply.