2

I need to access some secret values from Azure key vault in my JavaScript. It is plain JavaScript, no NPM and node. Is there any option to get the value directly from JavaScript? Or I need to write a separate API to retrieve the key vault. This is not relevant to securing some IDs, I want to know is there any possible option to get the key vault value from client-side.

Here is the link explain how to retrieve key vault using node.js

It is not duplicate of How to Hide an API Key in Client-Side Javascript

I want this to be done in plain javascript.

Liam
  • 27,717
  • 28
  • 128
  • 190
Sriram Tamilarasan
  • 491
  • 1
  • 6
  • 23
  • @str pls remove duplicate tag, my question is nowhere relavent with the question question which you have tagged. I am stuck with this scenario and i want some answer/suggestion to proceed further. please understand, – Sriram Tamilarasan Sep 23 '19 at 11:27
  • Accessing any secure resource using client side script is a terrible idea. If the client can execute the code, so can any attacker. So you really **should not do this** – Liam Sep 23 '19 at 12:22
  • This (despite your protestations) seems to be a [duplicate of this](https://stackoverflow.com/a/38237784/542251). The answer is the same **no** – Liam Sep 23 '19 at 12:23
  • Hi, it's a good question, can you provide some things you've tried already to aid people helping you? – Alex KeySmith Sep 23 '19 at 12:23
  • Possible duplicate of [How to Hide an API Key in Client-Side Javascript](https://stackoverflow.com/questions/38237673/how-to-hide-an-api-key-in-client-side-javascript) – Liam Sep 23 '19 at 12:24
  • I don't believe this is a duplicate, the "How to Hide an API Key..." question. Indicating so is reflecting a valid opinion on the weaknesses of client side security, however I believe this question is in regard to the specific technology combination of Azure KeyVault and client-side JavaScript. – Alex KeySmith Sep 23 '19 at 12:42

1 Answers1

2

Doing a little research, I would suggest this is not possible purely with client side JavaScript.

With this chrome developer tools open on the network tab; If you browse to the Azure Portal and look at a secret, you can see the in CORS pre-flight request that the allowed origin is https://portal.azure.com

This essentially means that the only client side JavaScript hosted on portal.azure.com is allowed to use the API which gets secrets.

More details on CORS headers here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Screen shot of azure portal when requesting a secret

Alex KeySmith
  • 16,657
  • 11
  • 74
  • 152
  • Check this out https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/keyvault/keyvault-secrets/samples/javascript – roney Jul 17 '20 at 12:10
  • Great tip Roney, the SDK certainly indicates it's possible now! – Alex KeySmith Jul 18 '20 at 18:30
  • Although digging deeper, the examples are for nodejs rather than client side, I haven't had a chance to look at the cors headers yet, I'll try and take another look and update the answer when I get a chance. Thanks again for the tip! – Alex KeySmith Jul 18 '20 at 18:33
  • The link Roney gave is broken. @Alex KeySmith Do you have a solution yet? I have the same problem. – backnext Feb 02 '23 at 18:40
  • Hi, it was many years back I'm afraid. But it looks like Microsoft have specific documentation on client side use now https://github.com/Azure/azure-sdk-for-js/blob/%40azure/keyvault-secrets_4.6.0/samples/cors/ts/README.md – Alex KeySmith Feb 02 '23 at 20:13