Skip to content

Latest commit

 

History

History
63 lines (46 loc) · 2.97 KB

README.md

File metadata and controls

63 lines (46 loc) · 2.97 KB

Azure secrets-to-environment

This project is a Protocol Extension that accesses an Azure key vault and assigns the keys to environment variables.

Installation

Install this package in your Harper application: npm install --save @harperdb/azure-secrets-to-environment

Configuration

After installation, add the extension (@harperdb/azure-secrets-to-environment) into your application's config.yaml file. This component must be listed above any components that will access the environment variables.

'@harperdb/azure-secrets-to-environment':
  package: '@harperdb/azure-secrets-to-environment'
'@harperdb/http-router':
  package: '@harperdb/http-router'
  files: '*.*js' # to load the routes.js and config files
'@harperdb/nextjs':
  package: '@harperdb/nextjs'
  files: '/*'

There are 2 ways to provide this extension with the credentials needed to access your Azure vault, depending on the managedCredentials: boolean configuration option:

1. Using environment variables (managedCredentials: false (default))

The following environment variables (i.e. through process.env) must be accessible to your deployed component:

  • AZURE_VAULT_NAME - (required) Name of the Azure Key Vault holding the secrets
  • AZURE_TENANT_ID - (required) Tenant ID of the Azure Subscription
  • AZURE_CLIENT_ID - (required) Client ID of the application registration
  • AZURE_CLIENT_SECRET - (required) Client Secret of the application registration
  • SECRETS_LIST - (optional) Comma seperated list of secrets to access from the vault

2. Using a dotfile (managedCredentials: true)

When you do not want to deploy your credentials with your component code, you can set managedCredentials to true, and the credentials (i.e. AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET) will be securely pulled from within the deployed environment.

For this to work, your deployed component must have access to dotfile containing:

  • AZURE_VAULT_NAME - (required) Name of the Azure Key Vault holding the secrets
  • SECRETS_LIST - (optional) Comma seperated list of secrets to access from the vault

In order for your extension to access the dotfile, you must also set the files property in your config.yaml with the path to the dotfile

'@harperdb/azure-secrets-to-environment':
  package: '@harperdb/azure-secrets-to-environment'
  managedCredentials: true
  files: '/path/to/.dotfile'
'@harperdb/http-router':
  package: '@harperdb/http-router'
  files: '*.*js' # to load the routes.js and config files
'@harperdb/nextjs':
  package: '@harperdb/nextjs'
  files: '/*'

Managed Credentials

To prevent the storage/exposure of credentials in your deployed component code, the credentials can be "managed" outside of the component scope. Currently, the host machine of the harperdb container will inject an AZURE_VAULT_MAP as environment variable which will allow remote deployments to require just the AZURE_VAULT_NAME