If you develop on Node.js, you can use the Azure SDK for Node that makes it easy to consume and manage Microsoft Azure Services. In this post let’s explore how to use the node SDK to connect to Azure Key Vault and interact with the vault objects. If you are new to key vault check out my other posts here to get started.
The azure-keyvault npm (node package manager) package allows accessing keys, secrets, and certificates on Azure Key Vault. It required Node.js version 6.x.x or higher. You can get the latest Node.js version here.
Manage keys: create, import, update, delete, backup, restore, list and get.
Key operations: sign, verify, encrypt, decrypt, wrap, unwrap.
Secret operations: set, get, update and list.
Certificate operations: create, get, update, import, list, and manage contacts and issuers.
The following packages are required to connect to the vault and authenticate. The azure-keyvault package as we saw above provides capabilities to interact with the vault. The adal-node is the Windows Active Directory Authentication Library for Node. The package makes it easy to authenticate to AAD to access AAD protected web resources. Applications using key vault need to authenticate using a token from an Azure AD Application.
Authenticate Using ClientId and Secret
Create the Azure AD application and the Secret key as shown in this post. Grab the ClientId and Secret for authentication from the node application.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
To access the vault, we need to create an instance of the KeyVaultClient object which taken in a Credentials as shown below. The KeyVaultClient has different methods exposes to interact with keys, secrets, and certificates in the vault. For e.g. To retrieve a secret from the vault the getSecret method is used passing in the secret identifier.
1 2 3 4 5 6 7 8 9
Authenticate Using ClientId and Certificate
To authenticate using ClientId and Certificate the AuthenticationContext exposes a function acquireTokenWithClientCertificate which takes in the certificate (pem format) and the certificate thumbprint. If you already have a certificate go ahead and use that. If not create a new test certificate as shown below
Create a new AD application and set it to use certificate authentication. Assign the application permissions to access the key vault.
1 2 3 4 5 6 7 8 9 10 11 12
To convert the pvk file into the pem format that is required by adal-node to authenticate with the AD application use the below command.
Using the pem encoded certificate private key, we can authenticate with the vault as shown below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
Using the certificateAuthenticator is the same as using the secretAuthenticator, by passing it to KeyVaultCredentials
1 2 3 4 5 6 7 8
To run the application first run npm install to install all the required packages and then execute the js file using node main.js. It fetches the secret value from the key vault using the certificate or secret authenticator. Hope this helps you to get started with Azure Key Vault from Node.js.