Accessing Azure Key Vault Secrets on Strapi Startup

Enis_Mulic · November 14, 2024, 1:57pm

System Information

Strapi Version: 4.25.11
Operating System:
Database:
Node Version:
NPM Version:
Yarn Version:

I am trying to fetch sensitive env variables from an azure key vault, while I can probably do this in the register or startup methods, I’m not sure how to get them asynchronously in the config/admin.ts file.

import { Strategy as AzureAdOAuth2Strategy } from "passport-azure-ad-oauth2";
import jwt from "jsonwebtoken";

export default ({ env }) => ({
  auth: {
    secret: env("ADMIN_JWT_SECRET"),
    providers: [
      {
        uid: "azure_ad_oauth2",
        displayName: "Microsoft",
        icon: "https://upload.wikimedia.org/wikipedia/commons/thumb/9/96/Microsoft_logo_%282012%29.svg/320px-Microsoft_logo_%282012%29.svg.png",
        createStrategy: (strapi) =>
          new AzureAdOAuth2Strategy(
            {
              clientID: env("MICROSOFT_CLIENT_ID", ""),
              clientSecret: env("MICROSOFT_CLIENT_SECRET", ""),
              scope: ["user:email"],
              tenant: env("MICROSOFT_TENANT_ID", ""),
              callbackURL:
                strapi.admin.services.passport.getStrategyCallbackURL(
                  "azure_ad_oauth2"
                ),
            },
            (accessToken, refreshToken, params, profile, done) => {
              const waadProfile = jwt.decode(params.id_token) as jwt.JwtPayload;
              console.log(waadProfile, profile, jwt.decode(params.id_token));
              done(null, {
                email: waadProfile.unique_name,
                username: waadProfile.unique_name,
                firstname: waadProfile.given_name, // optional if email and username exist
                lastname: waadProfile.family_name, // optional if email and username exist
              });
            }
          ),
      },
    ],
    events: {
      onConnectionSuccess(e) {
        const { user, provider } = e;

        console.log(`A new user (${user.id}) has connected using ${provider}`);
      },
      onConnectionError(e) {
        console.error(
          `An error occured during the connection of a new user using ${e.provider}. Error: ${e.error}`
        );
      },
      onSSOAutoRegistration(e) {
        const { user, provider } = e;

        console.log(
          `A new user (${user.id}) has been automatically registered using ${provider}`
        );
      },
    },
  }
});

How do I replace this env("MICROSOFT_CLIENT_SECRET", "") using a value from azure key vault.

For reference fetching a secret:

import { DefaultAzureCredential } from "@azure/identity";
import { SecretClient } from "@azure/keyvault-secrets";

export async function getSecret(secretName: string): Promise<string | undefined> {
  const keyVaultName = process.env.KEY_VAULT_NAME;
  const keyVaultUrl = `https://${keyVaultName}.vault.azure.net`;

  const credential = new DefaultAzureCredential();
  const client = new SecretClient(keyVaultUrl, credential);
  const secret = await client.getSecret(secretName);

  return secret.value;
}