2

I need to access some secret values from Azure key vault in my JavaScript. It is plain JavaScript, no NPM and node. Is there any option to get the value directly from JavaScript? Or I need to write a separate API to retrieve the key vault. This is not relevant to securing some IDs, I want to know is there any possible option to get the key vault value from client-side.

Here is the link explain how to retrieve key vault using node.js

It is not duplicate of How to Hide an API Key in Client-Side Javascript

I want this to be done in plain javascript.

Improve this question
6
  • @str pls remove duplicate tag, my question is nowhere relavent with the question question which you have tagged. I am stuck with this scenario and i want some answer/suggestion to proceed further. please understand, Commented Sep 23, 2019 at 11:27
  • Accessing any secure resource using client side script is a terrible idea. If the client can execute the code, so can any attacker. So you really should not do this Commented Sep 23, 2019 at 12:22
  • This (despite your protestations) seems to be a duplicate of this. The answer is the same no Commented Sep 23, 2019 at 12:23
  • Hi, it's a good question, can you provide some things you've tried already to aid people helping you? Commented Sep 23, 2019 at 12:23
  • Possible duplicate of How to Hide an API Key in Client-Side Javascript Commented Sep 23, 2019 at 12:24

1 Answer 1

Reset to default
2

Doing a little research, I would suggest this is not possible purely with client side JavaScript.

With this chrome developer tools open on the network tab; If you browse to the Azure Portal and look at a secret, you can see the in CORS pre-flight request that the allowed origin is https://portal.azure.com

This essentially means that the only client side JavaScript hosted on portal.azure.com is allowed to use the API which gets secrets.

More details on CORS headers here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Screen shot of azure portal when requesting a secret

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Check this out github.com/Azure/azure-sdk-for-js/tree/master/sdk/keyvault/…
Great tip Roney, the SDK certainly indicates it's possible now!
Although digging deeper, the examples are for nodejs rather than client side, I haven't had a chance to look at the cors headers yet, I'll try and take another look and update the answer when I get a chance. Thanks again for the tip!
The link Roney gave is broken. @Alex KeySmith Do you have a solution yet? I have the same problem.
Hi, it was many years back I'm afraid. But it looks like Microsoft have specific documentation on client side use now github.com/Azure/azure-sdk-for-js/blob/%40azure/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.