A small library to retreive secrets from different Key Vaults on App Services using MSI authentication.
It will provide a fallback to read secrets from environment variables when working on local.
npm install @guestlinelabs/peek-a-vault
Only Node 8+.
The library will return a function that you use to initialise the client, given a set of Key Vault namespaces.
import { createClient } from '@guestlinelabs/peek-a-vault';
// or const getSecret = createClient<'NS1' | 'NS2', 'STORAGE_KEY' | 'SENDGRID_KEY'>({
const getSecret = createClient({
// [OPTIONAL] A function that will return a promise with your own Key Vault client. By default it will use a KV client authenticating with MSI.
client: async () => keyVaultClient;
// [OPTIONAL] To cache by default all retreivals of secrets.
useCache: false,
// [OPTIONAL] To use key vault client or read from process.env.
useVault: Boolean(process.env.APPSETTING_WEBSITE_SITE_NAME),
// List of namespaces with the KeyVault url associated.
urls: {
NS1: 'https://ns1.vault.azure.net',
NS2: 'https://ns1.vault.azure.net',
},
});
async function main() {
// In local environment it will retrieve NS1_STORAGE_KEY from process.env variables
// Inside a WebApp it will retrieve STORAGE-KEY from the NS1 keyvault
const storageClient = new StorageClient(
await getSecret('NS1', 'STORAGE_KEY')
);
// In local environment it will retrieve NS2_SENDGRID_KEY from process.env variables
// Inside a WebApp it will retrieve SENDGRID-KEY from the NS1 keyvault
// The third parameter will explicitly tell if we want to use the cache or not on this particular call.
const emailClient = new EmailClient(await getSecret('NS2', 'SENDGRID_KEY', false));
}