@guestlinelabs/peek-a-vault

peek-a-vault

A small library to retreive secrets from different Key Vaults on App Services using MSI authentication.

It will provide a fallback to read secrets from environment variables when working on local.

Installation

npm install @guestlinelabs/peek-a-vault

Support

Only Node 8+.

Example

The library will return a function that you use to initialise the client, given a set of Key Vault namespaces.

import { createClient } from '@guestlinelabs/peek-a-vault';

// or const getSecret = createClient<'NS1' | 'NS2', 'STORAGE_KEY' | 'SENDGRID_KEY'>({
const getSecret = createClient({
  // [OPTIONAL] A function that will return a promise with your own Key Vault client. By default it will use a KV client authenticating with MSI.
  client: async () => keyVaultClient;
  // [OPTIONAL] To cache by default all retreivals of secrets.
  useCache: false,
  // [OPTIONAL] To use key vault client or read from process.env.
  useVault: Boolean(process.env.APPSETTING_WEBSITE_SITE_NAME),
  // List of namespaces with the KeyVault url associated.
  urls: {
    NS1: 'https://ns1.vault.azure.net',
    NS2: 'https://ns1.vault.azure.net',
  },
});

async function main() {
  // In local environment it will retrieve NS1_STORAGE_KEY from process.env variables
  // Inside a WebApp it will retrieve STORAGE-KEY from the NS1 keyvault
  const storageClient = new StorageClient(
    await getSecret('NS1', 'STORAGE_KEY')
  );
  // In local environment it will retrieve NS2_SENDGRID_KEY from process.env variables
  // Inside a WebApp it will retrieve SENDGRID-KEY from the NS1 keyvault
  // The third parameter will explicitly tell if we want to use the cache or not on this particular call.
  const emailClient = new EmailClient(await getSecret('NS2', 'SENDGRID_KEY', false));
}