How to use Azure Key Vault in npmrc file?

Question

I have a secret personal access token (only for building purposes) in my .npmrc file. As this secret is exposed, I thought of replacing this using Azure Key Vault. I haven't found any documentation around it. When I created the personal token before, I had given it only packaging/building access. How can I achieve this, please help me with this? Or is there any better way to include the personal access token in the .npmrc file?

Answer 1

Since you confirmed you are using Azure DevOps for your build, you don't need to maintain PAT in the .npmrc file. Just keep your npm registry URL there (I assume the private npm registry is also in the Azure DevOps) like below:

registry={your npm registry URL}

always-auth=false

Now, in the build pipeline, add npm Authenticate task before npm install.

- task: npmAuthenticate@0
  inputs:
    workingFile: <relative path to your .npmrc file>

Answer 2

Providing secrets to your resource can be done in many ways.

Some resources in Azure allow you to specify environment variables through the Azure CLI. Here's an example with the Azure container instances: link.

On Azure, once you have a Key Vault instance, you can use your Key Vault to provide secrets to your App Service and Azure Function instances. This is documented here: link, with a focus for Azure Resource Manager templates, which is specially useful for automated deployments.

Although the following is explained in the documentation link above, the general picture on how to use Key Vault secrets from other Azure resources requires the following:

• Make a user assigned identity or Azure Active Directory application.
• Grant access to this identity (or AAD app) by going to the Access Policies of your Key Vault (this can be done through the portal, of course), and giving your identity at least read access to your Key Vault.
• After that, create a secret on your Key Vault, go to the secret details and copy the "Secret Identifier". This will be a URI similar to: https://myvault.vault.azure.net/secrets/mysecret/.
• That's the URI you can use to bring Key Vault secrets to other resources.
• You'll be able to access this secret from other resources by ensuring the resource has access to the same identity, and by providing the URI through a syntax similar to: @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/).

For example, if you link an Azure Function to the same identity you granted read access to your Key Vault, you can provide a secret through environment variables by setting configuration properties in your resource. By going to the Azure Portal, locating your resource, then going to Configuration, then to Application settings, if you proceed to add the name of your environment variable, and as the value something similar to: @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/), you'll be providing the expected environment variable with the expected secret value to your resource.

The final approach I can think of is by using the @azure/keyvault-secrets client. If using an NPM library to retrieve Key Vault secrets sounds interesting, this is the dependency for you. All the information needed to work with this library should be available on NPM: same link. But in any case, a sample using this client would look as follows:

const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
 
const credential = new DefaultAzureCredential();
 
const client = new SecretClient(`https://my-key-vault.vault.azure.net`, credential);
  
async function main() {
  const secretName = "MySecretName";
  const latestSecret = await client.getSecret(secretName);
  console.log(`Latest version of the secret ${secretName}: `, latestSecret);
}
 
main();

You could use this library to load your secrets at any point while your service or program is running.

Please let me know if this information is useful for you. I'm here to help!