How to Set Environment Variables for Docker Compose Web App

Question

I am trying to access Azure keyvault from Docker compose Nodejs web app deployed in Azure App Service. I created a service principal, granted it access to the Azure keyvault, added the service principal's credentials (AZURE_APP_ID, AZURE_PASSWORD, AZURE_TENANT_ID) in .env file. The code runs ok in the local development environment when I deploy that to Azure App, I get this error: const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed."); AggregateAuthenticationError: ChainedTokenCredential authentication failed. CredentialUnavailableError: EnvironmentCredential is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot. CredentialUnavailableError: WorkloadIdentityCredential: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters. 2024-02-07T13:19:32.401073838Z In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables - "AZURE_TENANT_ID", "AZURE_CLIENT_ID", "AZURE_FEDERATED_TOKEN_FILE". I also set the environment variables (AZURE_APP_ID, AZURE_PASSWORD, AZURE_TENANT_ID) in Azure App's configurations but I still get this error. Can you please help me fix this problem?

Answer 1

Hello @Umer Rashid

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Your question is to know how to Set Environment Variables for Docker Compose Web App, and in the posted error; it looks like the issue you're facing is about authentication mechanism you're using to access Azure Key Vault from your Docker Compose Node.js web app deployed in Azure App Service. There are three things you will need to quickly look into:

1. Azure Key Vault Access. Be sure and confirm that the service principal you created has the necessary permissions to access Azure Key Vault. You should grant it the appropriate access policy for the keys, secrets, or certificates it needs to retrieve. If not, wait till #3.
2. Update Docker Compose Environment Variables. Regarding how to set environment variables for a Docker Compose web app, you will need to update your Docker Compose file to include environment variables for your Node.js application. Also, you've already added the service principal's credentials (AZURE_APP_ID, AZURE_PASSWORD, AZURE_TENANT_ID) in a .env file. Make sure that these environment variables are correctly set in your Docker Compose configuration. Here's how to do it:

• Open your docker-compose.yml file.
• Under the service definition for your Node.js application, add an environment section where you can specify environment variables.

Your code should be similar to this:

version: '3'
services:
  web:
    image: your-image-name
    environment:
      - AZURE_APP_ID=your_app_id
      - AZURE_PASSWORD=your_password
      - AZURE_TENANT_ID=your_tenant_id
    ports:
      - "8080:8080"

You will have to replace your_app_id, your_password, and your_tenant_id with the appropriate values.

• Save the changes to your docker-compose.yml file. Rebuild and redeploy your Docker Compose application to Azure App Service.

3. Implement Managed Identity. You can configure your Azure App Service to use Managed Identity and grant this identity access to your Azure Key Vault. Then, you won't need to manage service principal credentials in your Docker Compose file. To enable Managed Identity for your Azure App Service:

• Go to your Azure App Service in the Azure Portal.
• Under the "Settings" section, select "Identity".
• Enable system-assigned identity.
• Once enabled, note down the Azure AD Object ID of the managed identity.

After enabling Managed Identity for your Azure App Service, you need to grant this managed identity access to your Azure Key Vault. You can do this by setting an access policy for the managed identity in Azure Key Vault.

• Go to your Azure Key Vault in the Azure Portal. Under the "Access policies" section, add a new access policy. Select the permissions required (e.g., Get, List, etc.). In the "Select principal" field, search for and select the managed identity of your Azure App Service. Save the access policy.

Goto your Node.js code, in your Node.js code, make sure you're using the correct method to authenticate with Azure Key Vault. Since you're deploying to Azure App Service, you can use the DefaultAzureCredential class provided by the Azure SDK for JavaScript/Node.js, which automatically chooses the appropriate credential based on the environment (e.g., Managed Identity when deployed to Azure). This is a code sample, yours should be similar too:

const { SecretClient } = require("@azure/keyvault-secrets");
const { DefaultAzureCredential } = require("@azure/identity");
const vaultName = "your-keyvault-name";
const keyVaultUrl = `https://${vaultName}.vault.azure.net`;
// Use DefaultAzureCredential to authenticate
const credential = new DefaultAzureCredential();
const client = new SecretClient(keyVaultUrl, credential);
// Retrieve a secret from Key Vault
async function getSecret() {
    const secretName = "your-secret-name";
    const secret = await client.getSecret(secretName);
    console.log(`Retrieved secret: ${secret.value}`);
}
getSecret().catch(console.error);

After making these changes, rebuild and redeploy your Docker Compose application to Azure App Service. Test your application to make sure that it can successfully authenticate with Azure Key Vault and retrieve the secrets. By following the above steps, you should be able to update your docker file and set environment variables for Docker compose Web App, resolve the authentication issue and access Azure Key Vault securely from your Docker Compose Node.js web app deployed in Azure App Service. I hope this is helpful! Do not hesitate to let me know if you have any other questions. Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution. Best Regards, Sina