If you choose to run the code locally, the DefaultAzureCredential will automatically utilize environmental variables.
In your specific scenario, it is necessary to register an application with Azure AD, obtain the tenant id, client id(i.e. application id), client secret(i.e. application secret)
, set the environmental variables as AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID.
Regarding the 403 error mentioned, if you observe that it was added as a compound entity, chances are the correct service principal associated with the AD App was not added properly to the keyvault's Access policies. The entry should appear as APPLICATION rather than COMPOUND IDENTITY once correctly added.
When adding it, search for either the client Id(i.e. application Id) or
the name of your App Registration
directly to ensure accuracy. Further information on this topic can be found in this similar issue.
To retrieve the secret, simply having the Get permission is sufficient, using the provided code snippet:
const retrievedSecret = await client.getSecret(secretName);
It appears that in your code you are utilizing client.setSecret, which is meant for saving a secret and therefore requires the Set permission to function effectively.
For additional insights, refer to Quickstart: Azure Key Vault client library for Node.js (v4).
Update:
You mentioned the need to eventually deploy this code in a non-Azure environment. To accomplish this, you will have to manually include the required environment variables in your code.
This entails modifying your authentication process by directly inputting the three values into the code.
Replace these lines:
const { DefaultAzureCredential } = require("@azure/identity");
const credential = new DefaultAzureCredential();
With the following:
const { ClientSecretCredential } = require("@azure/identity");
const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
Refer to - https://www.npmjs.com/package/@azure/identity/v/1.0.3#authenticating-as-a-service-principal