I'm trying to retrieve some secrets from Azure's keyvault but I cannot seem to authenticate using @azure/identity module.
Versions:
"@azure/identity": "^1.0.0-preview.6",
"@azure/keyvault-secrets": "^4.0.0-preview.9",
When I try to get the token:
import { KeyVaultSecret, SecretClient } from '@azure/keyvault-secrets';
import { EnvironmentCredential } from '@azure/identity';
export const GetSecret = async (key: string): Promise<string> => {
try {
const credential: EnvironmentCredential = new EnvironmentCredential();
const token = await credential.getToken('openid');
console.log(token);
console.log('CREDENTIAL: ', credential);
console.log('CLIENT SECRET', process.env.AZURE_CLIENT_SECRET);
console.log('CLIENT ID', process.env.AZURE_CLIENT_ID);
return 'test'
} catch (err) {
console.error('Error getting secret from Azure Vault', err);
}
};
Console result:
CREDENTIAL: DefaultAzureCredential {
[10/28/2019 2:39:27 PM] _sources:
[10/28/2019 2:39:27 PM] [ EnvironmentCredential { _credential: undefined },
[10/28/2019 2:39:27 PM] ManagedIdentityCredential {
[10/28/2019 2:39:27 PM] isEndpointUnavailable: null,
[10/28/2019 2:39:27 PM] identityClient: [IdentityClient] } ] }
Have you set the appropriate environment variables for CLIENT_SECRET and CLIENT_ID?
The EnvironmentCredential() class expects you to have these variables configured. Typically, you would create a service principal (SP) for your application to use. You can then apply RBAC to this service principal, for example, by assigning the Reader role, or KeyVault Contributor role to the SP.
If you don't want to go this route, take a look at SAS tokens instead:
https://learn.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-keys