Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Access Key Vault from functions using MSI

See original GitHub issue

Hi, I’d like to know if it’s possible to access the Azure Key Vault from functions using MSI (Managed Service Identity). This C# example worked for me but so far I had no luck with Node.

I was able to get the MSI token via ms-rest-azure.MSIAppServiceTokenCredentials within my function but I’m not sure if azure-keyvault accepts this token as credential for fetching the secrets from the Key Vault.

If that is not possible yet, are there any plans to add this feature in near future?

Thanks a lot!

Issue Analytics

State:
Created 6 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

jbonet07commented, Jul 15, 2019

using azure-keyvault@3.0.4 and ms-rest-azure@3.0.0

Hi, I tried to use MSI to access Key Vault following the https://github.com/Azure-Samples/app-service-msi-keyvault-node example, but when I pass the credentials that I get from loginWithAppServiceMSI to the KeyVaultClient I keep getting this error (the credentials object that I get is MSIAppServiceTokenCredentials ):

I even tried to use the loginWithUsernamePassword method in order to get a UserTokenCredentials but I keep getting the same error.

`function getKeyVaultCredentials(){ return msRestAzure.loginWithAppServiceMSI({resource: ‘https://vault.azure.net’}); }

function getKeyVaultSecret(credentials) {
    let keyVaultClient = new KeyVault.KeyVaultClient(credentials);
    return keyVaultClient.getSecret(vaultUri, 'secret', "");
}

await getKeyVaultCredentials().then(
    getKeyVaultSecret
).then(function (secret){
    console.log(`Your secret value is: ${secret.value}.`);
}).catch(function (err) {
    throw (err);
});`

0reactions

amarzaverycommented, Jul 15, 2019

ms-rest is the runtime package that is responsible for making requests on the wire.
ms-rest-azure is the runtime for Azure specific stuff (authentication, polling asynchronous operations, etc.)
azure-keyvault depends on ms-rest-azure which depends on ms-rest. As you can see azure-keyvault@3.0.4 brings with it ms-rest-azure@2.6.0 which brings with it ms-rest@2.5.3. So what is happening is:

When you require("ms-rest-azure") in your app it is using 3.0.0 version of it. azure-keyvault internally uses 2.6.0 version of it to convert MSIAppServiceTokenCredentials to KeyvaultClientCredentials. When it does the instanceofcheck it has the MSITokenCredentials from the 2.6.0 version whereas in you app you have it from the 3.0.0 version which are different instances. Hence the instanceof check fails. Thus the error…

So, yhy do you have top level ms-rest-azure@3.0.0 ? Why do you need to have an explicit dependency on 3.0.0 version of ms-rest-azure? Can you remove that from your package.json, delete the node_modules folder and the package-lock.json file and execute npm i again from the root folder of your app? I am sure the problem will go away.