Quickstart: Set and retrieve a secret from Azure Key Vault using a Node Web App (App Service)

• Code Sample
• 10/19/2020
• 11 contributors

This QuickStart shows how to store a secret in Key Vault and how to retrieve it using a Web app. This web app uses Azure App Services. You can see it run on Azure. The quickstart uses Node.js and Managed service identities (MSIs)

• Create a Key Vault.
• Store a secret in Key Vault.
• Retrieve a secret from Key Vault.
• Create an Azure Web Application.
• Enable managed service identities.
• Grant the required permissions for the web application to read data from Key vault.

Before you proceed make sure that you are familiar with the basic concepts.

This sample shows how to do the following operations of Key Vault secret with Key Vault SDK

• Create server by the http
• Create a new secret
• Get the secret

Use latest Key Vault SDK

The Key Vault secrets SDK in this repo is @azure/keyvault-secrets. It's strongly recommended that you use the latest version of the key vault SDK package, please refer to the following examples:

• helloworld.ts - Examples for common Key Vault secret tasks:

  • Create a new secret
  • Get the secret
  • Update the secret
  • Delete the secret

Prerequisites

• Node JS
• Git
• Azure CLI 2.0.4 or later
• An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.

Login to Azure

To log in to Azure using the CLI, you can type:

az login

Create resource group

Create a resource group with the az group create command. An Azure resource group is a logical container into which Azure resources are deployed and managed.

Please select a Resource Group name and fill in the placeholder. The following example creates a resource group named in the eastus location.

# To list locations: az account list-locations --output table
az group create --name "<YourResourceGroupName>" --location "East US"

The resource group you just created is used throughout this tutorial.

Create an Azure Key Vault

Next you create a Key Vault using the resource group created in the previous step. Although “ContosoKeyVault” is used as the name for the Key Vault throughout this article, you have to use a unique name. Provide the following information:

• Vault name - Select a Key Vault Name here.
• Resource group name - Select a Resource Group Name here.
• The location - East US.

az keyvault create --name "<YourKeyVaultName>" --resource-group "<YourResourceGroupName>" --location "East US"

At this point, your Azure account is the only one authorized to perform any operations on this new vault.

Add a secret to key vault

We're adding a secret to help illustrate how this works. You could be storing a SQL connection string or any other information that you need to keep securely but make available to your application. In this tutorial, the password will be called AppSecret and will store the value of MySecret in it.

Type the commands below to create a secret in Key Vault called AppSecret that will store the value MySecret:

az keyvault secret set --vault-name "<YourKeyVaultName>" --name "AppSecret" --value "MySecret"

To view the value contained in the secret as plain text:

az keyvault secret show --name "AppSecret" --vault-name "<YourKeyVaultName>"

This command shows the secret information including the URI. After completing these steps, you should have a URI to a secret in an Azure Key Vault. Write this information down. You need it in a later step.

Clone the Repo

Clone the repo in order to make a local copy for you to edit the source by running the following command:

git clone https://github.com/Azure-Samples/key-vault-node-getting-started.git

Install dependencies

Here we install the dependencies. Run the following commands cd key-vault-node-getting-started npm install

This project used 2 node modules:

• ms-rest-azure
• azure-keyvault

Publish the web application to Azure

Below are the few steps we need to do

• The 1st step is to create a Azure App Service Plan. You can store multiple web apps in this plan.

  az appservice plan create --name myAppServicePlan --resource-group myResourceGroup
  

• Next we create a web app. In the following example, replace <app_name> with a globally unique app name (valid characters are a-z, 0-9, and -). The runtime is set to NODE|6.9. To see all supported runtimes, run az webapp list-runtimes

  # Bash
  az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app_name> --runtime "NODE|6.9" --deployment-local-git
  # PowerShell
  az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app_name> --runtime "NODE|6.9"
  

  When the web app has been created, the Azure CLI shows output similar to the following example:

  {
    "availabilityState": "Normal",
    "clientAffinityEnabled": true,
    "clientCertEnabled": false,
    "cloningInfo": null,
    "containerSize": 0,
    "dailyMemoryTimeQuota": 0,
    "defaultHostName": "<app_name>.azurewebsites.net",
    "enabled": true,
    "deploymentLocalGitUrl": "https://<username>@<app_name>.scm.azurewebsites.net/<app_name>.git"
    < JSON data removed for brevity. >
  }
  

  Browse to your newly created web app and you should see a functioning web app. Replace <app_name> with a unique app name.

  http://<app name>.azurewebsites.net
  

  The above command also creates a Git-enabled app which allows you to deploy to azure from your local git. Local git is configured with url of 'https://@<app_name>.scm.azurewebsites.net/<app_name>.git'

• Create a deployment user After the previous command is completed you can add add an Azure remote to your local Git repository. Replace with the URL of the Git remote that you got from Enable Git for your app.

  git remote add azure <url>
  

Enable Managed Service Identity

Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Managed Service Identity (MSI) makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.

Run the assign-identity command to create the identity for this application:

az webapp identity assign --name <app_name> --resource-group "<YourResourceGroupName>"

This command is the equivalent of going to the portal and switching Managed service identity to On in the web application properties.

Assign permissions to your application to read secrets from Key Vault

Write down or copy the output of the command above. It should be in the format:

    {
      "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "type": "SystemAssigned"
    }
    

Then, run this command using the name of your Key Vault and the value of PrincipalId copied from above:

az keyvault set-policy --name '<YourKeyVaultName>' --object-id <PrincipalId> --secret-permissions get

Deploy the Node App to Azure and retrieve the secret value

Now that everything is set. Run the following command to deploy the app to Azure

git push azure master

After this when you browse https://<app_name>.azurewebsites.net you can see the secret value. Make sure that you replaced the name with your vault name

Next steps

• Azure Key Vault Home Page
• Azure Key Vault Documentation
• Azure SDK For Node
• Azure REST API Reference

Contributing

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.