Azure-Samples
diff --git a/‎README.md‎
Lines changed: 91 additions & 115 deletions b/‎README.md‎
Lines changed: 91 additions & 115 deletions
diff --git a/‎azure-pipelines.yml‎
Lines changed: 78 additions & 0 deletions b/‎azure-pipelines.yml‎
Lines changed: 78 additions & 0 deletions
@@ -2,157 +2,133 @@
 page_type: sample
 languages:
 - javascript
+- nodejs
 products:
-- azure
-description: "For Service-to-Azure-Service authentication, the approach so far involved creating an Azure AD application and associated credential,"
-urlFragment: app-service-msi-keyvault-node
+- azure-key-vault
+- azure-app-service
+description: "How to set and get secrets from Azure Key Vault with Azure Managed Identities and Node.js."
+urlFragment: get-set-keyvault-secrets-managed-id-nodejs
 ---
 
-# Use Key Vault from App Service with Managed Service Identity and Nodejs
+# How to set and get secrets from Azure Key Vault with Azure Managed Identities and Node.js
 
-## Background
-For Service-to-Azure-Service authentication, the approach so far involved creating an Azure AD application and associated credential, and using that credential to get a token. While this approach works well, there are two shortcomings:
-1. The Azure AD application credentials are typically hard coded in source code. Developers tend to push the code to source repositories as-is, which leads to credentials in source.
-2. The Azure AD application credentials expire, and so need to be renewed, else can lead to application downtime.
+## SDK Versions
+In this sample, you will find the following folders:
+* **v3** - references Key Vault SDK v3
+* **v4** - references Key Vault SDK v4
 
-With [Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity), both these problems are solved. This sample shows how a Web App can authenticate to Azure Key Vault without the need to explicitly create an Azure AD application or manage its credentials. 
+## Introduction
+This sample will show how a Web App gets a secret at runtime from Azure Key Vault using a developer account during development, and using Azure Managed Identities when deployed to Azure, without any code changes between local development environment and Azure. As a result, you don't have to explicitly handle a service principal credential to authenticate to Azure AD to get a token to call Key Vault. You also don't have to worry about renewing the service principal credential either, since Azure Managed Identities takes care of that.
 
->Here's another sample that how to use MSI from inside an Azure VM with a Managed Service Identity (MSI) - [https://github.com/Azure-Samples/resource-manager-node-manage-resources-with-msi](https://github.com/Azure-Samples/resource-manager-node-manage-resources-with-msi)
 
 ## Prerequisites
 To run and deploy this sample, you need the following:
-1. An Azure subscription to create an App Service and a Key Vault. 
+* [Node.js]
+* [Git]
+* An Azure subscription to create a Key Vault and other services, such as App Service, used in this sample.
+* An App registration to authenticate.
 
-### Step 1: Create an App Service with a Managed Service Identity (MSI)
-<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Fapp-service-msi-keyvault-node%2Fmaster%2Fazuredeploy.json" target="_blank">
-    <img src="http://azuredeploy.net/deploybutton.png"/>
-</a>
+If you don't have an Azure subscription or App registration, create a [free account] or [App registration] before you begin.
 
-Use the "Deploy to Azure" button to deploy an ARM template to create the following resources:
-1. App Service with MSI.
-2. Key Vault with a secret, and an access policy that grants the App Service access to **Get Secrets**.
->Note: When filling out the template you will see a textbox labelled 'Key Vault Secret'. Enter a secret value there. A secret with the name 'secret' and value from what you entered will be created in the Key Vault.
+### Step 1: Create an Azure Key Vault and add a secret
+* Create an [Azure Key Vault] from Azure Portal.
+* [Add a secret].
 
-Review the resources created using the Azure portal. You should see an App Service and a Key Vault. View the access policies of the Key Vault to see that the App Service has access to it. 
-
-### Step 2: Grant yourself data plane access to the Key Vault
-Using the Azure Portal, go to the Key Vault's access policies, and grant yourself **Secret Management** access to the Key Vault. This will allow you to run the application on your local development machine. 
-
-1.	Search for your Key Vault in “Search Resources dialog box” in Azure Portal.
-2.	Select "Overview", and click on Access policies
-3.	Click on "Add New", select "Secret Management" from the dropdown for "Configure from template"
-4.	Click on "Select Principal", add your account 
-5.	Save the Access Policies
-
-You can also create an Azure service principal either through
-[Azure CLI](https://azure.microsoft.com/documentation/articles/resource-group-authenticate-service-principal-cli/),
-[PowerShell](https://azure.microsoft.com/documentation/articles/resource-group-authenticate-service-principal/)
-or [the portal](https://azure.microsoft.com/documentation/articles/resource-group-create-service-principal-portal/)
-and grant it the same access.
+### Step 2: Grant yourself Secret Management access to the Key Vault
+From the Azure Portal, go to the Key Vault's access policies, and grant yourself **Secret Management** access to the Key Vault. This will allow you to run the application on your local development machine.
 
+* On your Key Vault **Settings** pages, Select **Access policies**.
+* Click on **Add Access Policy**.
+* Set **Configure from template (optional)** to **Secret Management**.
+* Click on **Select Principal**, add your App registration.
+* Click on **Add**.
+* Click on **Save** to save the Access Policies.
 
 ## Local dev installation
+1.  Clone the repository.
 
-1.  If you don't already have it, [get node.js](https://nodejs.org).
+    ``` bash
+    git clone https://github.com/Azure-Samples/azure-sdk-for-js-keyvault-secrets-get-nodejs-managedid.git
+    ```
 
+2.  Run the following command to install dependencies for "SDK version 3" and "SDK version 4":
 
-1.  Clone the repository.
+    - SDK version 4
 
-    ```
-    git clone https://github.com/Azure-Samples/app-service-msi-keyvault-node.git
+    ``` cmd
+    cd v4
+    npm install
     ```
 
-2.  Install the dependencies using pip.
+    - SDK version 3
 
-    ```
-    cd app-service-msi-keyvault-node
+    ``` cmd
+    cd v3
     npm install
     ```
 
-3.  Set up the environment variable `KEY_VAULT_URL` with your KeyVault URL or replace the variable in the index.js file.
-
-1. Export these environment variables into your current shell or update the credentials in the index.js file.
+3.  Set up the following environment variables or replace these variables in the index.js file.
 
+    Linux
+    ``` bash
+    export KEY_VAULT_URL = "<YourKeyVaultUrl>"
+    export SECRET_NAME = "<YourSecretName>"
+    export SECRET_VERSION = "<YourSecretVersion>"
+    export AZURE_TENANT_ID = "<YourTenantId>"
+    export AZURE_CLIENT_ID = "<YourClientId>"
+    export AZURE_CLIENT_SECRET = "<YourClientSecret>"
     ```
-    export AZURE_TENANT_ID={your tenant id}
-    export AZURE_CLIENT_ID={your client id}
-    export AZURE_CLIENT_SECRET={your client secret}
+
+    Windows
+    ``` cmd
+    setx KEY_VAULT_URL "<YourKeyVaultUrl>"
+    setx SECRET_NAME "<YourSecretName>"
+    setx SECRET_VERSION "<YourSecretVersion>"
+    setx AZURE_TENANT_ID "<YourTenantId>"
+    setx AZURE_CLIENT_ID "<YourClientId>"
+    setx AZURE_CLIENT_SECRET "<YourClientSecret>"
     ```
-    > [AZURE.NOTE] On Windows, use `set` instead of `export`.
 
-1. Run the sample.
+4. Run the sample.
 
-    ```
+    ``` cmd
     node index.js
     ```
 
-1. This sample exposes two endpoints:
-  
-   - `/ping` : This just answers "Hello World!!!" and is a good way to test if your packages are installed correctly without testing Azure itself.
-   - `/` : The MSI sample itself
-
-## Installation on Azure
-
-1. Set the `KEY_VAULT_URI` environment variable using the "Application Settings" of your WebApp. You can also change the value of the variable from `null` in the index.js file.
-
-1. This repo is ready to be deployed using local git. Read this tutorial to get more information on [how to push using local git through portal](https://docs.microsoft.com/en-us/azure/app-service/app-service-deploy-local-git)
+## Deploy this sample to Azure
+1.  Create a [Node.js Web App] in Azure.
 
-## At a glance
+2.  Set environment variables in the **Settings** > **Configuration** > **Application Settings** of your Web App. You can also change the value of the variables from `null` in the index.js file.
 
-Using the `loginWithAppServiceMSI()` method from [ms-rest-azure](https://www.npmjs.com/package/ms-rest-azure) will autodetect if you're on a WebApp and get the token from the MSI endpoint. Then, the code is simply:
-
-```javascript  
-    function getKeyVaultCredentials(){
-        return msRestAzure.loginWithAppServiceMSI({resource: 'https://vault.azure.net'});
-    }
-
-    function getKeyVaultSecret(credentials) {
-        let keyVaultClient = new KeyVault.KeyVaultClient(credentials);
-        return keyVaultClient.getSecret(KEY_VAULT_URI, 'secret', "");
-    }
-
-    getKeyVaultCredentials().then(
-        getKeyVaultSecret
-    ).then(function (secret){
-        console.log(`Your secret value is: ${secret.value}.`);
-    }).catch(function (err) {
-        throw (err);
-    });
-```
-
-If you want to execute this same code in your local environment machine, just use the appropriate login method.
-
-If you need a fallback mechanism to allow this code to switch automatically from MSI to another approach, you can test for environment variables:
-
-```javascript
-function getKeyVaultCredentials(){
-  if (process.env.APPSETTING_WEBSITE_SITE_NAME){
-    return msRestAzure.loginWithAppServiceMSI({resource: 'https://vault.azure.net'});
-  } else {
-    return msRestAzure.loginWithServicePrincipalSecret(clientId, secret, domain);
-  }
-}
-```
-
-## Summary
-
-The web app was successfully able to get a secret at runtime from Azure Key Vault using your developer account during development, and using MSI when deployed to Azure, without any code change between local development environment and Azure. 
-As a result, you did not have to explicitly handle a service principal credential to authenticate to Azure AD to get a token to call Key Vault. You do not have to worry about renewing the service principal credential either, since MSI takes care of that.
-
-## Azure Functions
-
-Azure Functions being powered by Azure WebApp, MSI is also available. You can copy the relevant code from the example into your Azure Functions with the right import.
+3.  This repository is ready to be deployed using local git. Read this tutorial to get more information on [how to push using local git through portal].
 
 ## Troubleshooting
-
-### Common issues when deployed to Azure App Service:
-
-1. MSI is not setup on the App Service. 
-
-Check the environment variables MSI_ENDPOINT and MSI_SECRET exist using [Kudu debug console](https://azure.microsoft.com/en-us/resources/videos/super-secret-kudu-debug-console-for-azure-web-sites/). If these environment variables do not exist, MSI is not enabled on the App Service. Note that after enabling MSI, you need to restart your WebApp.
-
 ### Common issues across environments:
+* Access denied
+
+The principal used does not have access to the Key Vault. The principal used in show on the web page. Grant that user (in case of developer context) or application **Get secret** access to the Key Vault.
+
+## Contributing
+This project welcomes contributions and suggestions. Most contributions require you to agree to a
+Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
+the rights to use your contribution. For details, visit https://cla.microsoft.com.
+
+When you submit a pull request, a CLA-bot will automatically determine whether you need to provide
+a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions
+provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct]. For more information see the [Code of Conduct FAQ] or contact [[email protected]] with any additional questions or comments.
+
+<!-- LINKS -->
+[free account]: https://azure.microsoft.com/free/?WT.mc_id=A261C142F
+[App registration]: https://azure.microsoft.com/documentation/articles/resource-group-create-service-principal-portal/
+[Azure Key Vault]:https://docs.microsoft.com/en-us/azure/key-vault/quick-create-portal
+[Add a secret]: https://docs.microsoft.com/en-us/azure/key-vault/quick-create-portal#add-a-secret-to-key-vault
+[Node.js]: https://nodejs.org/en/download/
+[Git]: https://www.git-scm.com/
+[Node.js Web App]: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-get-started-nodejs
+[how to push using local git through portal]: https://docs.microsoft.com/en-us/azure/app-service/app-service-deploy-local-git
+[Microsoft Open Source Code of Conduct]: https://opensource.microsoft.com/codeofconduct/
+[Code of Conduct FAQ]: https://opensource.microsoft.com/codeofconduct/faq/
+[[email protected]]: mailto:[email protected]
 
-1. Access denied
-
-The principal used does not have access to the Key Vault. The principal used in show on the web page. Grant that user (in case of developer context) or application "Get secret" access to the Key Vault. 
@@ -0,0 +1,78 @@
+# Node.js Express Web App to Linux on Azure
+# Build a Node.js Express app and deploy it to Azure as a Linux web app.
+# Add steps that analyze code, save build artifacts, deploy, and more:
+# https://docs.microsoft.com/azure/devops/pipelines/languages/javascript
+
+trigger:
+- master
+
+variables:
+
+  # Azure Resource Manager connection created during pipeline creation
+  azureSubscription: '8ae4228e-79a7-4f32-bc0b-f0de98831791'
+  
+  # Web app name
+  webAppName: 'prjwebapptest'
+  
+  # Environment name
+  environmentName: 'prjwebapptest'
+
+  # Agent VM image name
+  vmImageName: 'ubuntu-latest'
+
+stages:
+- stage: Build
+  displayName: Build stage
+  jobs:  
+  - job: Build
+    displayName: Build
+    pool:
+      vmImage: $(vmImageName)
+      
+    steps:
+    - task: NodeTool@0
+      inputs:
+        versionSpec: '10.x'
+      displayName: 'Install Node.js'
+
+    - script: |
+        npm install
+        npm run build --if-present
+        npm run test --if-present
+      displayName: 'npm install, build and test'
+      
+    - task: ArchiveFiles@2
+      displayName: 'Archive files'
+      inputs:
+        rootFolderOrFile: '$(System.DefaultWorkingDirectory)'
+        includeRootFolder: false
+        archiveType: zip
+        archiveFile: $(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip
+        replaceExistingArchive: true
+
+    - upload: $(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip
+      artifact: drop
+
+- stage: Deploy
+  displayName: Deploy stage
+  dependsOn: Build
+  condition: succeeded()
+  jobs:
+  - deployment: Deploy
+    displayName: Deploy
+    environment: $(environmentName)
+    pool: 
+      vmImage: $(vmImageName)
+    strategy:
+      runOnce:
+        deploy:
+          steps:            
+          - task: AzureWebApp@1
+            displayName: 'Azure Web App Deploy: prjwebapptest'
+            inputs:
+              azureSubscription: $(azureSubscription)
+              appType: webAppLinux
+              appName: $(webAppName)
+              runtimeStack: 'NODE|10.10'
+              package: $(Pipeline.Workspace)/drop/$(Build.BuildId).zip
+              startUpCommand: 'npm run start'