fix(azure-key-vault-driver): 🐛 Fixed encoding/decoding, Updated docs

unjs · Sep 22, 2023 · 916e551 · 916e551
1 parent 7b2ca8d
commit 916e551
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/docs/content/6.drivers/azure-key-vault.md b/docs/content/6.drivers/azure-key-vault.md
@@ -5,6 +5,8 @@ Store data in a Azure Key Vault [secrets](https://docs.microsoft.com/en-us/azure
 This driver stores KV information in Azure Key Vault secrets by using the key as secret id and the value as secret content.
 Please be aware that key vault secrets don't have the fastest access time and are not designed for high throughput. You also have to disable purge protection for your key vault to be able to delete secrets. This implementation deletes and purges a secret when it is deleted to avoid conflicts with soft delete.
 
+⚠️ Be aware that this driver stores the keys of your key:value pairs in a encoded way in Key Vault to avoid conflicts with naming requirements for secrets. This means that you will not be able to access manually (outside of unstorage) created secrets inside your Key Vault, as long as they are not encoded in the same way.
+
 To use it, you will need to install `@azure/keyvault-secrets` and `@azure/identity` in your project:
 
 ```bash
@@ -30,7 +32,7 @@ The driver supports the following authentication methods:
 
 - **`DefaultAzureCredential`**: This is the recommended way to authenticate. It will use managed identity or environment variables to authenticate the request. It will also work in a local environment by trying to use Azure CLI or Azure PowerShell to authenticate.
 
-  ⚠️ Make sure that your Managed Identity or personal account has either the `Key Vault Secrets Officer` RBAC role assigned or is a member of an access policy that grants `Get`, `List`, `Set`, `Delete` and `Purge` secret permissions.
+⚠️ Make sure that your Managed Identity or personal account has either the `Key Vault Secrets Officer` (or `Key Vault Secrets User` for read-only) RBAC role assigned or is a member of an access policy that grants `Get`, `List`, `Set`, `Delete` and `Purge` secret permissions.
 
 **Options:**
 

diff --git a/src/drivers/azure-key-vault.ts b/src/drivers/azure-key-vault.ts
@@ -107,9 +107,9 @@ export default defineDriver((opts: AzureKeyVaultOptions) => {
 });
 
 const base64Map: { [key: string]: string } = {
-  "=": "e",
-  "+": "p",
-  "/": "s",
+  "=": "-e-",
+  "+": "-p-",
+  "/": "-s-",
 };
 
 function encode(value: string): string {