Skip to content

Managing Secrets with get‐secrets.js

Jump to bottom
Abigail Smith edited this page Sep 17, 2025 · 3 revisions

Managing Secrets with get-secrets.js

Managing sensitive information like API keys, connection strings, and authentication credentials is a critical part of building secure and reliable applications. Azure Key Vault provides a centralized and secure way to store and manage secrets, ensuring they remain protected and accessible only to authorized users or applications.

This page provides a guide on how to use the get-secrets.js utility script to populate local environment files (.env) with secrets from Azure Key Vault.

Core Functionality

The get-secrets.js script automates the process of populating a local .env file based on a .env.example template and secrets stored in Azure Key Vault. It performs the following key steps:

  • Secret Discovery: It connects to one or more specified Azure Key Vaults.
  • Tag Matching: It identifies secrets with a tag named e2e whose value corresponds to an environment variable name in the .env.example file.
  • Value Retrieval: It securely fetches the value of each tagged secret.
  • File Generation: It creates or updates the local .env file, populating the matched environment variables with the retrieved secret values.

Prerequisites

To use this script, you must have the following tools installed and configured on your machine:

  • Node.js: A stable Node.js installation.
  • Yarn: The Yarn package manager.
  • Azure CLI: The Azure command-line interface, which the script uses to communicate with Key Vault.
    • Installation for macOS: brew install azure-cli
  • Authenticated Azure Session: You must be logged into your Azure account via the CLI by running az login.

How to Implement and Use

1. Define Your .env.example

Create a .env.example file at the root of your project. This file serves as a template for all required environment variables. It should be committed to version control. The actual .env file, which will contain sensitive data, must be added to your .gitignore to prevent it from being committed.

Example .env.example:

IDAM_SECRET=
USER_PASSWORD=
CLIENT_SECRET=

2. Tag Secrets in Azure Key Vault

For each secret you want to pull into your .env file, you must add a tag in Azure Key Vault. This tag creates the link between the Key Vault secret and the local environment variable.

  • Tag Name (Key): e2e
  • Tag Value: The exact name of the environment variable (e.g., IDAM_SECRET).

3. Using the get-secrets script

Using secrets for local development:

  1. Open your terminal and navigate to your project's root folder.
  2. Run the script with the relevant Key Vault name(s) as an argument.
  • Single Key Vault: yarn get-secrets prl-aat

This command will automatically create or update your local .env file.

Using secrets in CI/CD pipelines: In a CI/CD environment like Jenkins, the script should be added as a pre-build or pre-test step in your pipeline configuration (Jenkinsfile). This ensures that the secrets are fetched and available before the tests or application are run.

Adding a New Secret

Follow these steps when adding a new secret to your project:

  1. Verify the secret does not already exist in the relevant Key Vault.
  2. Add the new environment variable name to the project's .env.example file.
  3. Add the secret value to the Azure Key Vault.
  4. Tag the new secret in the Key Vault with name: e2e and value: <ENV_VAR_NAME>.
  5. Update the relevant CI/CD pipeline configuration (Jenkinsfile_nightly or Jenkinsfile_CNP) to include the new secret.
  6. Run the yarn get-secrets script locally for the relevant Key Vault(s) to confirm it works correctly.

Note: Remember to perform these steps for both AAT and DEMO environments if the secret is needed in both.

Link to script in playwight common library: https://github.com/hmcts/playwright-common/blob/master/src/scripts/get-secrets.js

Clone this wiki locally