- Published on
Adding Secrets in Azure Key Vault: Step-by-Step Portal and Coding Guide
- Authors
- Name
- Jagdish Kumawat
- @jagdishkumawat
Introduction
Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. This guide will walk you through the process of adding secrets to Azure Key Vault using both the Azure portal and coding examples. By the end of this tutorial, you will have a solid understanding of how to manage your secrets effectively in Azure Key Vault.
Table of Contents
Prerequisites
Before you begin, ensure you have the following prerequisites in place:
- Valid Azure Subscription: You need an active Azure subscription. If you don't have one, refer to our blog post on Creating a New Azure Subscription.
- Key Vault Resource: You must have an existing Azure Key Vault resource. If you need help creating one, refer to our blog post on Creating an Azure Key Vault.
- Valid RBAC Roles: Ensure you have the necessary Role-Based Access Control (RBAC) roles assigned. For more information on RBAC roles and how to assign them, check out our blog post on Managing Azure RBAC Roles.
Adding Secrets in Azure Key Vault Using Azure Portal
Follow these steps to add secrets to your Azure Key Vault using the Azure portal:
- Navigate to Azure Portal: Open your web browser and go to the Azure Portal.
- Access Your Key Vault: In the Azure Portal, navigate to your Key Vault resource. You can find it by searching for "Key Vaults" in the search bar at the top.
- Select Secrets: In the Key Vault resource menu, select the "Secrets" option under the "Objects" section.
- Add a New Secret: Click on the "+ Generate/Import" button to add a new secret.
- Enter Secret Details:
- Upload Options: Choose "Manual" for manually entering the secret value.
- Name: Enter a unique name for your secret.
- Secret Value: Enter the value of the secret you want to store.
- Content Type: Optionally, you can specify the content type of the secret (e.g., text/plain).
- Activation date: Optionally, you can add activation date for certain secrets such as Microsoft App Passwords.
- Set expiration date: Optionally, you can set an expiration date for the secret.
- Create the Secret: Click the "Create" button to add the secret to your Key Vault.
- Verify the Secret: Once the secret is created, you can verify it by checking the list of secrets in your Key Vault. You should see the newly added secret in the list.
By following these steps, you can securely add secrets to your Azure Key Vault using the Azure portal.
Adding Secrets in Azure Key Vault Using Code
In this section, we will demonstrate how to add secrets to Azure Key Vault using different programming languages: C#, Python, Node.js, Go, and Java.
.NET C#
using System;
using System.Threading.Tasks;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
namespace key_vault_console_app
{
class Program
{
static async Task Main(string[] args)
{
const string secretName = "SECRET_NAME";
var keyVaultName = "KV_NAME"
var kvUri = $"https://{keyVaultName}.vault.azure.net";
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
var secretValue = "SECRET_VALUE"
Console.Write($"Creating a secret in {keyVaultName} called '{secretName}' with the value '{secretValue}' ...");
await client.SetSecretAsync(secretName, secretValue);
Console.WriteLine(" done.");
Console.WriteLine("Forgetting your secret.");
secretValue = string.Empty;
Console.WriteLine($"Your secret is '{secretValue}'.");
Console.WriteLine($"Retrieving your secret from {keyVaultName}.");
var secret = await client.GetSecretAsync(secretName);
Console.WriteLine($"Your secret is '{secret.Value.Value}'.");
Console.Write($"Deleting your secret from {keyVaultName} ...");
DeleteSecretOperation operation = await client.StartDeleteSecretAsync(secretName);
// You only need to wait for completion if you want to purge or recover the secret.
await operation.WaitForCompletionAsync();
Console.WriteLine(" done.");
Console.Write($"Purging your secret from {keyVaultName} ...");
await client.PurgeDeletedSecretAsync(secretName);
Console.WriteLine(" done.");
}
}
}
Python
import os
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential
keyVaultName = "KV_NAME"
KVUri = f"https://KV_NAME.vault.azure.net"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)
secretName = "SECRET_NAME"
secretValue = "SECRET_VALUE"
print(f"Creating a secret in KV_NAME called '{secretName}' with the value '{secretValue}' ...")
client.set_secret(secretName, secretValue)
print(" done.")
print(f"Retrieving your secret from KV_NAME.")
retrieved_secret = client.get_secret(secretName)
print(f"Your secret is '{retrieved_secret.value}'.")
print(f"Deleting your secret from KV_NAME ...")
poller = client.begin_delete_secret(secretName)
deleted_secret = poller.result()
print(" done.")
Node.js
const { SecretClient } = require("@azure/keyvault-secrets");
const { DefaultAzureCredential } = require("@azure/identity");
async function main() {
const credential = new DefaultAzureCredential();
const keyVaultName = "KV_NAME";
const url = "https://" + keyVaultName + ".vault.azure.net";
const client = new SecretClient(url, credential);
// Create a secret
// The secret can be a string of any kind. For example,
// a multiline text block such as an RSA private key with newline characters,
// or a stringified JSON object, like `JSON.stringify({ mySecret: 'SECRET_VALUE'})`.
const secretName = "SECRET_NAME"
const result = await client.setSecret(secretName, "SECRET_VALUE");
console.log("result: ", result);
// Read the secret we created
const secret = await client.getSecret(secretName);
console.log("secret: ", secret);
// Update the secret with different attributes
const updatedSecret = await client.updateSecretProperties(secretName, result.properties.version, {
enabled: false
});
console.log("updated secret: ", updatedSecret);
// Delete the secret
// If we don't want to purge the secret later, we don't need to wait until this finishes
await client.beginDeleteSecret(secretName);
}
main().catch((error) => {
console.error("An error occurred:", error);
process.exit(1);
});
Java
package com.keyvault.secrets.quickstart;
import java.io.Console;
import com.azure.core.util.polling.SyncPoller;
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.DeletedSecret;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
public class App {
public static void main(String[] args) throws InterruptedException, IllegalArgumentException {
String keyVaultName = "KV_NAME
String keyVaultUri = "https://" + keyVaultName + ".vault.azure.net";
System.out.printf("key vault name = %s and key vault URI = %s \n", keyVaultName, keyVaultUri);
SecretClient secretClient = new SecretClientBuilder()
.vaultUrl(keyVaultUri)
.credential(new DefaultAzureCredentialBuilder().build())
.buildClient();
String secretName = "SECRET_NAME";
String secretValue = "SECRET_VALUE";
System.out.print("Creating a secret in " + keyVaultName + " called '" + secretName + "' with value '" + secretValue + " ... ");
secretClient.setSecret(new KeyVaultSecret(secretName, secretValue));
System.out.println("done.");
System.out.println("Forgetting your secret.");
secretValue = "";
System.out.println("Your secret's value is '" + secretValue + "'.");
System.out.println("Retrieving your secret from " + keyVaultName + ".");
KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);
System.out.println("Your secret's value is '" + retrievedSecret.getValue() + "'.");
System.out.print("Deleting your secret from " + keyVaultName + " ... ");
SyncPoller<DeletedSecret, Void> deletionPoller = secretClient.beginDeleteSecret(secretName);
deletionPoller.waitForCompletion();
System.out.println("done.");
}
}
Go
package main
import (
"context"
"fmt"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
)
func main() {
mySecretName := "SECRET_NAME"
mySecretValue := "SECRET_VALUE"
keyVaultName := "KV_NAME"
keyVaultUrl := fmt.Sprintf("https://%s.vault.azure.net/", keyVaultName)
//Create a credential using the NewDefaultAzureCredential type.
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
//Establish a connection to the Key Vault client
client, err := azsecrets.NewClient(keyVaultURL, cred, nil)
if err != nil {
log.Fatalf("failed to connect to client: %v", err)
}
//Create a secret
_, err = client.SetSecret(context.TODO(), mySecretName, mySecretValue, nil)
if err != nil {
log.Fatalf("failed to create a secret: %v", err)
}
//Get a secret
resp, err := client.GetSecret(context.TODO(), mySecretName, nil)
if err != nil {
log.Fatalf("failed to get the secret: %v", err)
}
fmt.Printf("secretValue: %s\n", *resp.Value)
//List secrets
pager := client.ListSecrets(nil)
for pager.NextPage(context.TODO()) {
resp := pager.PageResponse()
for _, secret := range resp.Secrets {
fmt.Printf("Secret ID: %s\n", *secret.ID)
}
}
if pager.Err() != nil {
log.Fatalf("failed to get list secrets: %v", err)
}
//Delete a secret
respDel, err := client.BeginDeleteSecret(context.TODO(), mySecretName, nil)
_, err = respDel.PollUntilDone(context.TODO(), time.Second)
if err != nil {
log.Fatalf("failed to delete secret: %v", err)
}
fmt.Println(mySecretName + " has been deleted\n")
}