Azure Key Vault with Managed Identity — Node.js demo

Demonstrates how to fetch a secret from Azure Key Vault using Managed Identity in Node.js. No credentials in the code or environment — authentication is handled automatically by the Azure identity platform when running on a VM or App Service with a Managed Identity assigned.

How it works

1. A System-assigned Managed Identity is enabled on the Azure VM
2. The identity is granted the Key Vault Secrets User role on the Key Vault
3. The app uses DefaultAzureCredential from the Azure SDK, which automatically detects and uses the Managed Identity when running in Azure

Setup

1. Enable Managed Identity on your VM

In the Azure portal, go to your VM → Identity → System assigned → toggle On.

2. Grant Key Vault access

In your Key Vault → Access control (IAM) → Add role assignment:

• Role: Key Vault Secrets User
• Assign access to: Managed identity
• Select your VM

3. Configure the app

git clone <repo>
cd nodejs-managed-identity
npm install
cp .env.example .env
# Edit .env with your Key Vault name and secret name

4. Run

node index.js

Expected output:

Fetched secret: <your-secret-value>

Verifying Managed Identity from the VM

curl "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net" -H Metadata:true

A valid token response confirms the Managed Identity is working before running the app.