This QuickStart shows how to store a secret in Key Vault and how to retrieve it using a Web app. This web app may be run locally or in Azure. The quickstart uses Node.js and Managed service identities (MSIs)
[!div class="checklist"]
- Create a Key Vault.
- Store a secret in Key Vault.
- Retrieve a secret from Key Vault.
- Create an Azure Web Application.
- Enable managed service identities.
- Grant the required permissions for the web application to read data from Key vault.
Before you proceed make sure that you are familiar with the basic concepts.
- Node JS
- Git
- Azure CLI 2.0.4 or later
- An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
To log in to Azure using the CLI, you can type:
az login
Create a resource group with the az group create command. An Azure resource group is a logical container into which Azure resources are deployed and managed.
Please select a Resource Group name and fill in the placeholder. The following example creates a resource group named in the eastus location.
# To list locations: az account list-locations --output table
az group create --name "<YourResourceGroupName>" --location "East US"
The resource group you just created is used throughout this tutorial.
Next you create a Key Vault using the resource group created in the previous step. Although “ContosoKeyVault” is used as the name for the Key Vault throughout this article, you have to use a unique name. Provide the following information:
- Vault name - Select a Key Vault Name here.
- Resource group name - Select a Resource Group Name here.
- The location - East US.
az keyvault create --name "<YourKeyVaultName>" --resource-group "<YourResourceGroupName>" --location "East US"
At this point, your Azure account is the only one authorized to perform any operations on this new vault.
We're adding a secret to help illustrate how this works. You could be storing a SQL connection string or any other information that you need to keep securely but make available to your application. In this tutorial, the password will be called AppSecret and will store the value of MySecret in it.
Type the commands below to create a secret in Key Vault called AppSecret that will store the value MySecret:
az keyvault secret set --vault-name "<YourKeyVaultName>" --name "AppSecret" --value "MySecret"
To view the value contained in the secret as plain text:
az keyvault secret show --name "AppSecret" --vault-name "<YourKeyVaultName>"
This command shows the secret information including the URI. After completing these steps, you should have a URI to a secret in an Azure Key Vault. Write this information down. You need it in a later step.
Clone the repo in order to make a local copy for you to edit the source by running the following command:
git clone https://github.com/Azure-Samples/key-vault-node-quickstart.git
Here we install the dependencies. Run the following commands cd key-vault-node-quickstart npm install
This project used 2 node modules:
Below are the few steps we need to do
-
The 1st step is to create a Azure App Service Plan. You can store multiple web apps in this plan.
az appservice plan create --name myAppServicePlan --resource-group myResourceGroup
-
Next we create a web app. In the following example, replace <app_name> with a globally unique app name (valid characters are a-z, 0-9, and -). The runtime is set to NODE|6.9. To see all supported runtimes, run az webapp list-runtimes
# Bash az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app_name> --runtime "NODE|6.9" --deployment-local-git # PowerShell az --% webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app_name> --runtime "NODE|6.9"
When the web app has been created, the Azure CLI shows output similar to the following example:
{ "availabilityState": "Normal", "clientAffinityEnabled": true, "clientCertEnabled": false, "cloningInfo": null, "containerSize": 0, "dailyMemoryTimeQuota": 0, "defaultHostName": "<app_name>.azurewebsites.net", "enabled": true, "deploymentLocalGitUrl": "https://<username>@<app_name>.scm.azurewebsites.net/<app_name>.git" < JSON data removed for brevity. > }
Browse to your newly created web app and you should see a functioning web app. Replace <app_name> with a unique app name.
http://<app name>.azurewebsites.net
The above command also creates a Git-enabled app which allows you to deploy to azure from your local git. Local git is configured with url of 'https://@<app_name>.scm.azurewebsites.net/<app_name>.git'
-
Create a deployment user After the previous command is completed you can add add an Azure remote to your local Git repository. Replace with the URL of the Git remote that you got from Enable Git for your app.
git remote add azure <url>
Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Managed Service Identity (MSI) makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.
Run the assign-identity command to create the identity for this application:
az webapp identity assign --name <app_name> --resource-group "<YourResourceGroupName>"
This command is the equivalent of going to the portal and switching Managed service identity to On in the web application properties.
Write down or copy the output of the command above. It should be in the format:
{
"principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"type": "SystemAssigned"
}
Then, run this command using the name of your Key Vault and the value of PrincipalId copied from above:
az keyvault set-policy --name '<YourKeyVaultName>' --object-id <PrincipalId> --secret-permissions get
Now that everything is set. Run the following command to deploy the app to Azure
git push azure master
After this when you browse https://<app_name>.azurewebsites.net you can see the secret value. Make sure that you replaced the name with your vault name
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.