Azure-sdk-for-js: AppConfiguration not resolving key value references

Created on 16 Dec 2020 · 5Comments · Source: Azure/azure-sdk-for-js

Package Name: @azure/app-configuration
Package Version: 1.1.0
Operating system: unix
[ ] nodejs
- version: 12

Describe the bug
client.getConfigurationSetting does not resolve Key Vault references from App Configuration. I believe this is a feature which should be working, as per this .net tutorial https://docs.microsoft.com/en-us/azure/azure-app-configuration/use-key-vault-references-dotnet-core?tabs=cmd%2Ccore2x

To Reproduce
Steps to reproduce the behaviour:

process.env.AZURE_TENANT_ID="valid value";
process.env.AZURE_CLIENT_ID="valid value";
process.env.AZURE_CLIENT_SECRET="valid value";

const { DefaultAzureCredential } = require('@azure/identity');
const { AppConfigurationClient } = require('@azure/app-configuration');

const url = `https://redacted.azconfig.io`;

const credential = new DefaultAzureCredential();
const client = new AppConfigurationClient(url, credential);

module.exports = async function() {

  for await (const secretProperties of client.listConfigurationSettings()) {
    const secret = await client.getConfigurationSetting({ key: secretProperties.key });
    console.log(secret.value);
  }

};

Expected behavior
Key value value resolved, instead of the uri reference to vault. Currently above code would log

value: '{"uri":"https://redacted.vault.azure.net/secrets/example/redacted"}',

rather than the real value.

In the linked article, it mentions:

Because the client provider recognizes the keys as Key Vault references, it uses Key Vault to retrieve their values.
to me, it seems like the SDK could be resolving the real values, however I might be misunderstanding that sentence

App Configuration Client customer-reported needs-team-attention question

Source

iqfy-kyle

All 5 comments

Hi @iqfy-kyle, I'll be taking a look at this today.

richardpark-msft on 17 Dec 2020

👍1

@richardpark-msft awesome, thank you. I'm a bit unsure if it is a bug in the SDK or if I misunderstand it's usage when pairing app configuration with key vault

iqfy-kyle on 17 Dec 2020

Hi @iqfy-kyle,

Your intuition was right on this - the actual resolution of the key vault reference is done on the client side in the implementations that support them.

As an example, you can see how the .net configuration settings provider does it here, using just the AppConfig and KeyVault SDKs.

https://github.com/Azure/AppConfiguration-DotnetProvider/blob/956c4571a7654170c33cbf36450e6566d313acfa/src/Microsoft.Extensions.Configuration.AzureAppConfiguration/AzureKeyVaultReference/AzureKeyVaultKeyValueAdapter.cs#L53

It deserializes the Application Config setting, extracting the keyvault ref, and then uses a KeyVault client to retrieve the value.

Closing this issue for now, but please feel free to reopen if you feel like I didn't answer your question or want to continue discussion.

richardpark-msft on 18 Dec 2020

👍1

Thanks Richard.

In case anyone comes across this issue, the above workflow is also noted in the architecture diagram, which i missed https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/appconfig-key-vault#data-flow

iqfy-kyle on 20 Dec 2020

@richardpark-msft Is there a way to retrieve a secret from keyvault by using the uri in the JavaScript sdk? https://azuresdkdocs.blob.core.windows.net/$web/javascript/azure-keyvault-secrets/4.1.0/classes/secretclient.html#getsecret seems to only allow a key name, whereas the .NET example you linked uses the uri from what App Configuration returns

iqfy-kyle on 20 Dec 2020

Was this page helpful?

0 / 5 - 0 ratings