Skip to content
/ azure-secrets-to-environment Public

This project accesses a secrets key vault and assigns the keys to environment variables.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

HarperDB/azure-secrets-to-environment

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.yaml
config.yaml
 
 
extension.js
extension.js
 
 
legacy.js
legacy.js
 
 
package.json
package.json
 
 

Repository files navigation

Azure secrets-to-environment

This project is a Protocol Extension that accesses an Azure key vault and assigns the keys to environment variables.

Installation

Install this package in your Harper application: npm install --save @harperdb/azure-secrets-to-environment

Configuration

After installation, add the extension (@harperdb/azure-secrets-to-environment) into your application's config.yaml file. This component must be listed above any components that will access the environment variables.

'@harperdb/azure-secrets-to-environment':
  package: '@harperdb/azure-secrets-to-environment'
'@harperdb/http-router':
  package: '@harperdb/http-router'
  files: '*.*js' # to load the routes.js and config files
'@harperdb/nextjs':
  package: '@harperdb/nextjs'
  files: '/*'

There are 2 ways to provide this extension with the credentials needed to access your Azure vault, depending on the managedCredentials: boolean configuration option:

1. Using environment variables (managedCredentials: false (default))

The following environment variables (i.e. through process.env) must be accessible to your deployed component:

  • AZURE_VAULT_NAME - (required) Name of the Azure Key Vault holding the secrets
  • AZURE_TENANT_ID - (required) Tenant ID of the Azure Subscription
  • AZURE_CLIENT_ID - (required) Client ID of the application registration
  • AZURE_CLIENT_SECRET - (required) Client Secret of the application registration
  • SECRETS_LIST - (optional) Comma seperated list of secrets to access from the vault

2. Using a dotfile (managedCredentials: true)

When you do not want to deploy your credentials with your component code, you can set managedCredentials to true, and the credentials (i.e. AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET) will be securely pulled from within the deployed environment.

For this to work, your deployed component must have access to dotfile containing:

  • AZURE_VAULT_NAME - (required) Name of the Azure Key Vault holding the secrets
  • SECRETS_LIST - (optional) Comma seperated list of secrets to access from the vault

In order for your extension to access the dotfile, you must also set the files property in your config.yaml with the path to the dotfile

'@harperdb/azure-secrets-to-environment':
  package: '@harperdb/azure-secrets-to-environment'
  managedCredentials: true
  files: '/path/to/.dotfile'
'@harperdb/http-router':
  package: '@harperdb/http-router'
  files: '*.*js' # to load the routes.js and config files
'@harperdb/nextjs':
  package: '@harperdb/nextjs'
  files: '/*'

Managed Credentials

To prevent the storage/exposure of credentials in your deployed component code, the credentials can be "managed" outside of the component scope. Currently, the host machine of the harperdb container will inject an AZURE_VAULT_MAP as environment variable which will allow remote deployments to require just the AZURE_VAULT_NAME

About

This project accesses a secrets key vault and assigns the keys to environment variables.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages