Using Azure KeyVault with Node.js

Some of the most intractable problems of application design are concerned with how to store credentials for accessing sensitive application data, keys and, configuration settings in code. With Azure Key Vault you don't have to. You can, instead just authorise an application to access and use a Key Vault and perform operations that require authentication against a KeyVault. Christos Matskas shows how an application can interact with the service, using a node.JS application as an example.

In an earlier article, we discussed Azure’s new KeyVault service and saw how to provision one in order to protect sensitive data in an application. In this article, I will demonstrate how to write code to interact with the service. We will use a Node.js application to expose a RESTful API that will allow users to interact with the KeyVault by sending HTTP requests.

Setup

If you haven’t already done so, you will need to first download and install Node.js from here: https://nodejs.org/en/ before getting started,

The project

In order to showcase how a Node.js application can use the features of KeyVault, we first need to create a small Node.js application. For the purposes of this article, we will create a thin Node API that will communicate directly with our keyvault and act as a proxy between our client application and Azure. 

To follow along, you will need to create a new folder in whatever location works best for you. I chose to setup the project in my default GitHub directory: C:\Users\Christos\Documents\GitHub\. Give your folder a name. Now open up the Node.js console (and make sure you keep it open) and navigate to the folder you’ve just created. Run the following command:

npm init

Follow the wizard and provide the requested values when you are prompted. In the end, you’ll end up with a package.json file in your folder. Open the package.json on your favorite editor and paste the following code: 

This file instructs Node.js how to start up the application through the designated entry point (the file you want to use at startup). We will use index.js (the default)  as our entry point which will also manage the API calls. Add a new file at the same level as the package.json file and name it index.js. We will add the necessary code for our application soon, but for now we need to install a few npm packages to start working with the Azure KeyVault. In the node.js console, type the following:

npm install azure- keyvault savenpm install  adal -node — savenpm install  async savenpm install restify –save

Let’s explain what these four commands will do for us. The first one installs the Azure KeyVault npm library. This contains all the calls we can make against our KeyVault. The second one is necessary for authenticating against the Azure Active Directory. The last two are needed in order to build our node.js API application. With all these installed, your package.json should now look like this:

These are all the external libraries and dependencies that you will need in order to create and run our application. To keep thing lightweight, we’ll introduce a new, custom module that will perform all the logic and interaction with the Azure KeyVault. In Node, modules are equivalent to .NET classes that implement and expose a set of functions. Node modules, like classes, are reusable objects that can be shared throughout the application.

Create a new file at the route of the application directory and name it kvservice.js. This will be our wrapper around the KeyVault library. Open the file and paste the following code:

The kvservice.js implements only a subset of the available KeyVault operations and serves as a sample to show you how easy it is to use the KeyVault within node. For the full list of the available functions, have a look here:  https://www.simple-talk.com/cloud/platform-as-a-service/application-security-with-azure-key-vault/

Now we are ready to create our API. Open the index.js file and paste the following code:

Save the changes and return to the Node.js console. Type npm start and hit Enter to start your service. The web api service is currently listening on port 3000 so any client requests will need to use this port. For example, using your favorite REST API client, you can execute the following request:

http://localhost:3000/getallkeys/5

And this should return the following response, assuming you have some encryption keys configured in the KeyVault

This sample app, although basic, allows you to perform most of the important operations against a KeyVault. A fully working project can be found on GitHub here : https://github.com/cmatskas/azure-keyvault-node The Azure SDK for node is simple and easy to use and only takes a few lines of code to incorporate powerful security features to your application. Next time, we’ll look on how we can leverage the Azure .NET SDK to implement the same functionality in a ASP.NET WebAPI project.