azure - Keyvault Authentication using username and password

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

The customer has created a key vault and store the credentials . To authenticate key vault , I have created the application in the node and using client id and client secret , I am able to read the secrets. But now the customer wants not to use the client id and client secret , instead use the username and password of the AZURE to access the keyvault in the program. Its one dedicated user for the keyvault access with no MFA.

I am not sure if we can access the keyvault with username and password from the node js. Kindly suggest.

Thanks

Did you find out the reason the customer wants it like this? To me this sounds extremely stupid and I would refuse to do this unless the client can provide a seriously good explanation. – juunas Aug 23, 2020 at 10:10 learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/… They want to use this username/password authentication – MKN Aug 23, 2020 at 11:07 So do they want your app to access the Key Vault as the currently signed in user or a fixed user account? A fixed user account makes no sense to me with no advantage over an application using a client id and secret. Have they told you the reason why they want to do this? – juunas Aug 23, 2020 at 11:12 I've learned the client never really knows what they want. They know what they think they want, though. It's up to the developer to steer them in the right direction. – Andy Aug 24, 2020 at 5:02

For this requirement, I also think that use username-password flow is unnecessary and client credential flow should be better (as juunas mentioned in comments). But if the customer still want to use username-password flow to implement, I can provide a sample as below for your reference:

1. You should register an app in AD with native platform but not web platform.

And please check if " Treat application as a public client " is enabled.

If your app is web platform, when you run the node js code it will show error message to ask you provide "client secret" even if you use username-password flow.

2. You need to add the azure key vault permission to your app. And do not forget grant admin consent for it.

3. Then you can refer to the code below to get the secret value.

const KeyVault = require('azure-keyvault');
const { AuthenticationContext } = require('adal-node');
const clientId = '<clientId>';
const username = '<username>';
const password = '<password>';
var secretAuthenticator = function (challenge, callback) {
    var context = new AuthenticationContext(challenge.authorization);
    return context.acquireTokenWithUsernamePassword(challenge.resource, username, password, clientId, function(
        tokenResponse,
        if (err) throw err;
        var authorizationValue = tokenResponse.tokenType + ' ' + tokenResponse.accessToken;
        return callback(null, authorizationValue);
var credentials = new KeyVault.KeyVaultCredentials(secretAuthenticator);
var client = new KeyVault.KeyVaultClient(credentials);
client.getSecret("https://<keyvaultname>.vault.azure.net/", "<secret name>", "<secret version>", function (err, result) {
    if (err) throw err;
    console.log("secret value is: " + result.value);
        Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.