UNPKG

@harperdb/azure-secrets-to-environment

Version:

This project accesses an Azure key vault and assigns the secrets to environment variables.

github.com/HarperDB/azure-secrets-to-environment

HarperDB/azure-secrets-to-environment

63 lines (46 loc) 3.04 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Azure secrets-to-environment This project is a [Protocol Extension](https://docs.harperdb.io/docs/developers/components/reference#protocol-extension) that accesses an Azure key vault and assigns the keys to environment variables. ## Installation Install this package in your Harper application: `npm install --save @harperdb/azure-secrets-to-environment` ## Configuration After installation, add the extension (`@harperdb/azure-secrets-to-environment`) into your application's `config.yaml` file. This component must be listed above any components that will access the environment variables. ``` '@harperdb/azure-secrets-to-environment': package: '@harperdb/azure-secrets-to-environment' '@harperdb/http-router': package: '@harperdb/http-router' files: '*.*js' # to load the routes.js and config files '@harperdb/nextjs': package: '@harperdb/nextjs' files: '/*' ``` There are 2 ways to provide this extension with the credentials needed to access your Azure vault, depending on the `managedCredentials: boolean` configuration option: ### 1. Using environment variables (`managedCredentials: false (default)`) The following environment variables (i.e. through `process.env`) must be accessible to your deployed component: * AZURE_VAULT_NAME - (required) Name of the Azure Key Vault holding the secrets * AZURE_TENANT_ID - (required) Tenant ID of the Azure Subscription * AZURE_CLIENT_ID - (required) Client ID of the application registration * AZURE_CLIENT_SECRET - (required) Client Secret of the application registration * SECRETS_LIST - (optional) Comma seperated list of secrets to access from the vault ### 2. Using a dotfile (`managedCredentials: true`) When you do not want to deploy your credentials with your component code, you can set `managedCredentials` to `true`, and the credentials (i.e. `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, and `AZURE_CLIENT_SECRET`) will be securely pulled from within the deployed environment. For this to work, your deployed component must have access to dotfile containing: * AZURE_VAULT_NAME - (required) Name of the Azure Key Vault holding the secrets * SECRETS_LIST - (optional) Comma seperated list of secrets to access from the vault In order for your extension to access the dotfile, you must also set the `files` property in your `config.yaml` with the path to the dotfile ``` '@harperdb/azure-secrets-to-environment': package: '@harperdb/azure-secrets-to-environment' managedCredentials: true files: '/path/to/.dotfile' '@harperdb/http-router': package: '@harperdb/http-router' files: '*.*js' # to load the routes.js and config files '@harperdb/nextjs': package: '@harperdb/nextjs' files: '/*' ``` #### Managed Credentials To prevent the storage/exposure of credentials in your deployed component code, the credentials can be "managed" outside of the component scope. Currently, the host machine of the harperdb container will inject an `AZURE_VAULT_MAP` as environment variable which will allow remote deployments to require just the `AZURE_VAULT_NAME`