Open in app

Sign in

Write

Sign in

Azure Keyvault Secrets & NodeJS : A security practice

Praddyum Verma
5 min readJul 30, 2022

If you are someone who recently discovered that adding your secrets ( API Keys, username, password, hostname etc ) directly to your source code is considered as a bad practice or if you are yet not aware of it then “Surprise”.

Yes, if your code contains lines like this (i.e. actual values are added to the code)

const pool = new Pool({
user: 'john_doe',
host: 'john.secure.com',
database: 'transac_history',
password: 'J0hN_D03',
port: 1337,
ssl:true
});

Just think about using a version control system (I mean who doesn’t use it) then your epic mistake will be engraved permanently for the upcoming generations to cherish it and exploit your application.

It’s a very beginner level mistake but if not acknowledged then it could become habit. In this article we’ll see in what ways we could avoid it.

The .env way

This is the most recommended way at the development phase of the project. What happens here is we create a .env ( just like a text file ) file and declare all credentials over there and then make use of it in our projects. A point to note is that we shouldn’t upload the .env file anywhere ( i.e. each developer should have their own .env file only on it’s local machine ). Enough reading let’s do it in NodeJS.

Step 1: In you empty nodeJS work directory install dotenv package

npm i dotenv

Step 2: Create .env file in your project directory and initialize a variable

Step 3: In your file (In this case index.js) where you want to access the variable use process.env to access it.

require('dotenv').config();let pass= process.env.{variable_name}console.log(pass)

Step 4: Run the code and check

Step 5 (Most important) : If you are using version control system then make sure to add .env in .gitignore list. Add the following entry in .gitignore file

# dotenv environment variables file
.env

This is how we do it in dev environment but when it comes to production we have to acquire some resources which could securely transfer the secrets to our application on runtime so that we don’t have to hard-code it in the source code. And one such option is Azure Keyvaults.

Integrating Azure Key-vault in our code

Consider Azure keyvault as an actual vault which will provide your applications hassle free and secure access to your secrets on the go.
Let’s see how to implement it.

Step 1: In your node code install the following packages @azure/identity and @azure/keyvault-secrets

npm i @azure/identity @azure/keyvault-secrets

Step 2: Download and install Azure CLI (Standard Procedure)

Step 3: After Azure CLI is installed correctly open cmd and type az login it should pop-up your browser. Login it with your azure account credentials ( link to create azure account )

Step 4: Open your azure account and create a keyvault resource. ( link on how to create a keyvault )

Step 5: Add your account (if not already added) in Access policies

Step 6: Create your secret i.e adding your variable name and value.

Step 7: Add the code to get the secret

const az_identity = require('@azure/identity');
const az_kv = require('@azure/keyvault-secrets');const credential = new az_identity.DefaultAzureCredential();
const client = new az_kv.SecretClient('{keyvaulturl}',credential);var db_pass=''const getkeyvault = async()=>{
     db_pass=await client.getSecret('var1')
}getkeyvault().then(()=>{
     console.log(db_pass)
})

to get the vault url visit your keyvault overview

Step 8: Run the code and check if it’s working.

Azure app service

Azure app service is used to deploy your node app. Now we can push the same code as above but it will fail to fetch the keyvault secrets by default. To solve the issue we will make use concept of managed identity. Let’s see how we do it.

1. Create a new app service on Azure

2. Deploy your code to app service

3. Enable App service logs

4. Error we will see

When you create an api request you’ll be greeted with

Error since our app service is not able to authenticate to keyvault

Looks like auth issues :)

5. What is Managed identity and how to enable that

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials. ReadMore

Let’s enable system assigned identity for our app service

Enable System Assigned Managed Identity

It will give you an Object (principal) ID keep note of it.

6. Access Policy in Keyvault

In your keyvault add your application in access policies

Adding application to access policy of keyvault
Get permission for the application

7. Output we desired

Able to retrieve secret

Note: I have added app service part after a week so created a new keyvault therefore secret value is different.

Recommended Resources

  1. Managed Identity

With this we come to an end of this blog.I hope you have learned some new things and will apply to your day to day development. If you have any suggestion do let me know in comments. If you liked the blog do appreciate with a clap because in the end

Azure
Keyvault
Azure Key Vault
Nodejs
Security

--

--

Praddyum Verma

Written by Praddyum Verma

40 Followers

A very enthusiastic and learning behavior with a mentality of over-promising and over-delivering having experience working as freelance.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams