This is quick post on how to work with Azure Key vault using npm package for Azure Key vault. In this post we will see how we can authenticate to Azure Key vault using azure service principal. We will then write secrets to the keyvault and add few tags to the secret.

For the sake of this post, we will be writing our application in TypeScript and all the snippets below are in TypeScript.

Prerequisites

Azure team provides a npm package azure-keyvault to work with the key vault.

The first thing needed to authenticate for your application NodeJS application is to create a service principal in the portal. This is one of the recommended way because you can limit permission to the app to do only what you want - in this case to access azure key vault to write secrets to it.

For example, for the app I created for this post, I have set access policies to perform only Key Management operations and for this key vault.

app policies

How to create the service principal is outside the scope of this post, but you can read more here.

If you have created the app successfully, you should have client id, client secret and the tenant id.

Using npm package

In your nodejs application, using the command prompt go to the root of the folder where your package.json file exists. We need to install two packages from Azure. First one is the ms-rest-azure and second one is azure-keyvault.

Install the packages using below command

1
npm install azure-keyvault ms-rest-azure --save

This should update your package.json file to include the package as dependency.

1
2
3
4
"dependencies": {
    "azure-keyvault": "^3.0.4",
    "ms-rest-azure": "^2.5.7"
  },

Creating keyvault client

Once, you install the package, you need to import them in to your file. Then we use client id, secret and tenant id to create an KeyVaultClient object as below.

1
2
3
4
5
import * as msrestazure from "ms-rest-azure";
import * as keyvault from "azure-keyvault";

let credentials = await msrestazure.loginWithServicePrincipalSecret(clientId, clientSecret, tenantId);
let kvClient = new keyvault.KeyVaultClient(credentials);

Setting the secret

Next step is to write a secret to the keyvault. That is again just few lines of code. For this we need also our keyvault URL.

1
2
3
4
5
6
7
8
9
10
11
12
13
let keyVaultUrl = "https://mykvname0010918.vault.azure.net";
let secretName = "azuresqldbpassword";
let secretValue = "8M*3H@*rN>$TYS?";
await kvClient.setSecret(keyVaultUrl, secretName, secretValue, { tags: { "build": "20180918.1" }, contentType: "Added via my nodejs application" }, (err, secretBundle) => {
                if (err) {
                    console.info(`Error while writing '${secretName}'`);
                    throw err;
                }
                else {
                    console.info(`Successfully set the secret for '${secretName}'`);
                }
            });

Notice we are also passing tags and optional contentType to the secret which adds useful metadata to the secret being added.

That’s it, you should see your secret added in the Azure key vault. Notice, it has our added tag and also our content type.

added to key valut

Conclusion

This post just showed adding a secret to key vault. However the NPM package is very powerfull and allows you to do all other operations like creating certificates, deleting, backing up secrets etc.

other operations

That is it for this post - I hope you found this post useful.

About author
Author Image
Utkarsh Shigihalli
Utkarsh is passionate about software development and has more than 12 years of work experience in the areas of Azure, VSTS, C# and TypeScript. He has developed numerous extensions for Visual Studio and Visual Studio Team Services. He is currently working as a Consultant in the United States.
Comments