0

we have a node.js app that is deployed to Azure App Service. Some of our npm packages dependencies are stored in a private npm repository and auth token for this repo is stored in Azure Key Vault.

We use VSTS for our builds and VSTS makes it easy to fetch the token from the Key Vault. For our deployments, we use Kudu to npm install && npm start our app. But the npm install fails as packages from private repo can't be fetched.

I have worked around this by adding the auth token as an app setting in the App Service and adding it to the .npmrc before Kudu runs npm install. But I would really like a way to access the token from Key Vault directly from Kudu. Is this something on the Key Vault or App Service team's radar?

Update

The recommended approach is to use powershell SDK / REST APIs to read the secrets from the KeyVault and update the app service. Not ideal, but it works

Rohit Pagariya
  • 23
  • 1
  • 8

1 Answers1

1

Code running in your App Service (whether as part of Kudu or your actual site) cannot directly read from KeyVault.

The recommended pattern is to put the secret in an App Setting as described in https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application.

David Ebbo
  • 42,443
  • 8
  • 103
  • 117
  • Thanks David. Is there a way to update the app settings via script? I want to automate this end-to-end so that rotating a secret doesn't require any manual steps. – Rohit Pagariya Feb 03 '17 at 06:11
  • Looks like there are powershell cmdlets. See this thread for details: http://stackoverflow.com/questions/32543778/adding-an-app-settings-to-existing-azure-web-application-using-azure-power-shell – Rohit Pagariya Feb 03 '17 at 06:19
  • David, are there plans to make this easier in the future via tighter integration? – Rohit Pagariya Feb 03 '17 at 06:20