For an Azure function, running on Linux, using Node.js runtime v14,
I want to read app configuration using @azure/app-configuration,
when some config values are cleartext, but others are connection strings to keyvault.
My colleague, writing in C#, is using the ConfigureKeyVault method on AzureAppConfigurationOptions to configure the Azure App Configuration SDK to automatically parse, fetch, and decode secrets from their connections strings.
I'd like to do the same in nodejs, but did not find a similar method in the API docs
Will I have to do something like this?
async function getConfig(key: string): Promise<string> {
const maybeConnectionString = await appConfigurationClient.getConfigurationSetting({ key });
if (maybeConnectionString.startsWith('@Microsoft.KeyVault'))
return await keyVaultClient.getSecret(maybeConnectionString);
else
return maybeConnectionString;
}
Benny Powers, yes, you are right. To use Key Vault reference in Node.js, you will have to fetch the key-value, parse the value for the secret identifier, and then retrieve the actual secret from the Key Vault. This has been implemented as part of the .NET config provider as you mentioned, but you will have to do this if you are using the JS SDK.
In terms of implementation, you should first check whether the key-value has content-type of application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8. If so, it means this key-value is a Key Vault reference. Then you can parse the value. The value is in JSON format, something like {"uri":"https://xxxxxx.vault.azure.net/secrets/....."}. What the uri points to is the secret identifier. Once you have the secret identifier, you can fetch the actual secret by using the Key Valut client like you did.