@azure/keyvault-secrets
Advanced tools
@azure/keyvault-secrets is an npm package that allows you to manage secrets in Azure Key Vault. It provides functionalities to store, retrieve, update, and delete secrets securely.
Store a Secret
This code demonstrates how to store a secret in Azure Key Vault using the @azure/keyvault-secrets package. It uses DefaultAzureCredential for authentication and SecretClient to interact with the Key Vault.
const { DefaultAzureCredential } = require('@azure/identity');
const { SecretClient } = require('@azure/keyvault-secrets');
const credential = new DefaultAzureCredential();
const url = `https://<Your-Key-Vault-Name>.vault.azure.net`;
const client = new SecretClient(url, credential);
async function setSecret() {
const result = await client.setSecret('mySecretName', 'mySecretValue');
console.log('Secret set: ', result);
}
setSecret();Retrieve a Secret
This code demonstrates how to retrieve a secret from Azure Key Vault using the @azure/keyvault-secrets package. It uses DefaultAzureCredential for authentication and SecretClient to interact with the Key Vault.
const { DefaultAzureCredential } = require('@azure/identity');
const { SecretClient } = require('@azure/keyvault-secrets');
const credential = new DefaultAzureCredential();
const url = `https://<Your-Key-Vault-Name>.vault.azure.net`;
const client = new SecretClient(url, credential);
async function getSecret() {
const result = await client.getSecret('mySecretName');
console.log('Secret retrieved: ', result.value);
}
getSecret();Update a Secret
This code demonstrates how to update a secret's properties in Azure Key Vault using the @azure/keyvault-secrets package. It uses DefaultAzureCredential for authentication and SecretClient to interact with the Key Vault.
const { DefaultAzureCredential } = require('@azure/identity');
const { SecretClient } = require('@azure/keyvault-secrets');
const credential = new DefaultAzureCredential();
const url = `https://<Your-Key-Vault-Name>.vault.azure.net`;
const client = new SecretClient(url, credential);
async function updateSecret() {
const result = await client.updateSecretProperties('mySecretName', { enabled: false });
console.log('Secret updated: ', result);
}
updateSecret();Delete a Secret
This code demonstrates how to delete a secret from Azure Key Vault using the @azure/keyvault-secrets package. It uses DefaultAzureCredential for authentication and SecretClient to interact with the Key Vault.
const { DefaultAzureCredential } = require('@azure/identity');
const { SecretClient } = require('@azure/keyvault-secrets');
const credential = new DefaultAzureCredential();
const url = `https://<Your-Key-Vault-Name>.vault.azure.net`;
const client = new SecretClient(url, credential);
async function deleteSecret() {
const result = await client.beginDeleteSecret('mySecretName');
console.log('Secret deletion started: ', result);
}
deleteSecret();The aws-sdk package for Node.js provides a comprehensive set of tools for interacting with AWS services, including AWS Secrets Manager. It allows you to store, retrieve, and manage secrets in a secure manner. Compared to @azure/keyvault-secrets, aws-sdk offers a broader range of functionalities beyond just secrets management, covering various AWS services.
The vault package is a client for HashiCorp Vault, a tool for securely accessing secrets. It provides functionalities to store, retrieve, and manage secrets across various environments. Compared to @azure/keyvault-secrets, vault is platform-agnostic and can be used with multiple cloud providers and on-premises environments.
Azure Key Vault is a service that allows you to encrypt authentication keys, storage account keys, data encryption keys, .pfx files, and passwords by using secured keys. If you would like to know more about Azure Key Vault, you may want to review: What is Azure Key Vault?
Azure Key Vault Secrets management allows you to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Use the client library for Azure Key Vault Secrets in your Node.js application to:
Note: This package cannot be used in the browser due to Azure Key Vault service limitations, please refer to this document for guidance.
Key links:
Install the Azure Key Vault Secret client library using npm:
npm install @azure/keyvault-secrets
Key Vault clients authenticate using the Azure Identity Library. Install it as well using npm
npm install @azure/identity
TypeScript users need to have Node type definitions installed:
npm install @types/node
You also need to enable compilerOptions.allowSyntheticDefaultImports in your tsconfig.json. Note that if you have enabled compilerOptions.esModuleInterop, allowSyntheticDefaultImports is enabled by default. See TypeScript's compiler options handbook for more information.
Use the Azure Cloud Shell snippet below to create/get client secret credentials.
Create a service principal and configure its access to Azure resources:
az ad sp create-for-rbac -n <your-application-name> --skip-assignment
Output:
{
"appId": "generated-app-ID",
"displayName": "dummy-app-name",
"name": "http://dummy-app-name",
"password": "random-password",
"tenant": "tenant-ID"
}
Use the above returned credentials information to set AZURE_CLIENT_ID(appId), AZURE_CLIENT_SECRET(password) and AZURE_TENANT_ID(tenant) environment variables. The following example shows a way to do this in Bash:
export AZURE_CLIENT_ID="generated-app-ID"
export AZURE_CLIENT_SECRET="random-password"
export AZURE_TENANT_ID="tenant-ID"
Grant the above mentioned application authorization to perform secret operations on the keyvault:
az keyvault set-policy --name <your-key-vault-name> --spn $AZURE_CLIENT_ID --secret-permissions backup delete get list purge recover restore set
--secret-permissions: Accepted values: backup, delete, get, list, purge, recover, restore, set
If you have enabled role-based access control (RBAC) for Key Vault instead, you can find roles like "Key Vault Secrets Officer" in our RBAC guide.
Use the above mentioned Key Vault name to retrieve details of your Vault which also contains your Key Vault URL:
az keyvault show --name <your-key-vault-name>
The Key Vault service relies on Azure Active Directory to authenticate requests to its APIs. The @azure/identity package provides a variety of credential types that your application can use to do this. The README for @azure/identity provides more details and samples to get you started.
Here's a quick example. First, import DefaultAzureCredential and SecretClient:
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
Once these are imported, we can next connect to the Key Vault service. To do this, we'll need to copy some settings from the Key Vault we are connecting to into our environment variables. Once they are in our environment, we can access them with the following code:
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
// DefaultAzureCredential expects the following three environment variables:
// * AZURE_TENANT_ID: The tenant ID in Azure Active Directory
// * AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant
// * AZURE_CLIENT_SECRET: The client secret for the registered application
const credential = new DefaultAzureCredential();
// Build the URL to reach your key vault
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
// Lastly, create our secrets client and connect to the service
const client = new SecretClient(url, credential);
By default, this package uses the latest Azure Key Vault service version which is 7.1. The only other version that is supported is 7.0. You can change the service version being used by setting the option serviceVersion in the client constructor as shown below:
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
// Change the Azure Key Vault service API version being used via the `serviceVersion` option
const client = new SecretClient(url, credential, {
serviceVersion: "7.0"
});
The following sections provide code snippets that cover some of the common tasks using Azure Key Vault Secrets. The scenarios that are covered here consist of:
setSecret assigns a provided value to the specified secret name. If a secret
with the same name already exists, then a new version of the secret is created.
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
const secretName = "MySecretName";
async function main() {
const result = await client.setSecret(secretName, "MySecretValue");
console.log("result: ", result);
}
main();
The simplest way to read secrets back from the vault is to get a secret by name. This will retrieve the most recent version of the secret. You can optionally get a different version of the key if you specify it as part of the optional parameters.
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
const secretName = "MySecretName";
async function main() {
const latestSecret = await client.getSecret(secretName);
console.log(`Latest version of the secret ${secretName}: `, latestSecret);
const specificSecret = await client.getSecret(secretName, { version: latestSecret.properties.version! });
console.log(`The secret ${secretName} at the version ${latestSecret.properties.version!}: `, specificSecret);
}
main();
A secret can have more information than its name and its value. They can also include the following attributes:
tags: Any set of key-values that can be used to search and filter secrets.contentType: Any string that can be used to help the receiver of the secret understand how to use the secret value.enabled: A boolean value that determines whether the secret value can be read or not.notBefore: A given date after which the secret value can be retrieved.expires: A given date after which the secret value cannot be retrieved.An object with these attributes can be sent as the third parameter of
setSecret, right after the secret's name and value, as follows:
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
const secretName = "MySecretName";
async function main() {
const result = await client.setSecret(secretName, "MySecretValue", {
enabled: false
});
}
main();
This will create a new version of the same secret, which will have the latest provided attributes.
Attributes can also be updated to an existing secret version with
updateSecretProperties, as follows:
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
const secretName = "MySecretName";
async function main() {
const result = await client.getSecret(secretName);
await client.updateSecretProperties(secretName, result.properties.version, { enabled: false });
}
main();
The beginDeleteSecret method starts the deletion of a Secret.
This process will happen in the background as soon as the necessary resources
are available.
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
const secretName = "MySecretName";
async function main() {
await client.beginDeleteSecret(secretName);
}
main();
If soft-delete is enabled for the Key Vault, this operation will only label the secret as a deleted secret. A deleted secret can't be updated. They can only be either read, recovered or purged.
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
const secretName = "MySecretName";
async function main() {
const poller = await client.beginDeleteSecret(secretName);
// You can use the deleted secret immediately:
const deletedSecret = poller.getResult();
// The secret is being deleted. Only wait for it if you want to restore it or purge it.
await poller.pollUntilDone();
// You can also get the deleted secret this way:
await client.getDeletedSecret(secretName);
// Deleted secrets can also be recovered or purged.
// recoverDeletedSecret returns a poller, just like beginDeleteSecret.
const recoverPoller = await client.beginRecoverDeletedSecret(secretName);
await recoverPoller.pollUntilDone();
// And then, to purge the deleted secret:
await client.purgeDeletedSecret(secretName);
}
main();
Since Secrets take some time to get fully deleted, beginDeleteSecret
returns a Poller object that keeps track of the underlying Long Running
Operation according to our guidelines:
https://azure.github.io/azure-sdk/typescript_design.html#ts-lro
The received poller will allow you to get the deleted secret by calling to poller.getResult().
You can also wait until the deletion finishes, either by running individual service
calls until the secret is deleted, or by waiting until the process is done:
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
const secretName = "MySecretName";
async function main() {
const poller = await client.beginDeleteSecret(secretName);
// You can use the deleted secret immediately:
let deletedSecret = poller.getResult();
// Or you can wait until the secret finishes being deleted:
deletedSecret = await poller.pollUntilDone();
console.log(deletedSecret);
}
main();
Another way to wait until the secret is fully deleted is to do individual calls, as follows:
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const { delay } = require("@azure/core-http");
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
const secretName = "MySecretName";
async function main() {
const poller = await client.beginDeleteSecret(secretName);
while (!poller.isDone()) {
await poller.poll();
await delay(5000);
}
console.log(`The secret ${secretName} is fully deleted`);
}
main();
Using the SecretClient, you can retrieve and iterate through all of the secrets in a Key Vault, as well as through all of the deleted secrets and the versions of a specific secret. The following API methods are available:
listPropertiesOfSecrets will list all of your non-deleted secrets by their names, only
at their latest versions.listDeletedSecrets will list all of your deleted secrets by their names,
only at their latest versions.listPropertiesOfSecretVersions will list all the versions of a secret based on a secret
name.Which can be used as follows:
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
const secretName = "MySecretName";
async function main() {
for await (let secretProperties of client.listPropertiesOfSecrets()) {
console.log("Secret properties: ", secretProperties);
}
for await (let deletedSecret of client.listDeletedSecrets()) {
console.log("Deleted secret: ", deletedSecret);
}
for await (let versionProperties of client.listPropertiesOfSecretVersions(secretName)) {
console.log("Version properties: ", versionProperties);
}
}
main();
All of these methods will return all of the available results at once. To
retrieve them by pages, add .byPage() right after invoking the API method you
want to use, as follows:
const { DefaultAzureCredential } = require("@azure/identity");
const { SecretClient } = require("@azure/keyvault-secrets");
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
const secretName = "MySecretName";
async function main() {
for await (let page of client.listPropertiesOfSecrets().byPage()) {
for (let secretProperties of page) {
console.log("Secret properties: ", secretProperties);
}
}
for await (let page of client.listDeletedSecrets().byPage()) {
for (let deletedSecret of page) {
console.log("Deleted secret: ", deletedSecret);
}
}
for await (let page of client.listPropertiesOfSecretVersions(secretName).byPage()) {
for (let versionProperties of page) {
console.log("Version properties: ", versionProperties);
}
}
}
main();
Enabling logging may help uncover useful information about failures. In order to see a log of HTTP requests and responses, set the AZURE_LOG_LEVEL environment variable to info. Alternatively, logging can be enabled at runtime by calling setLogLevel in the @azure/logger:
import { setLogLevel } from "@azure/logger";
setLogLevel("info");
You can find more code samples through the following links:
If you'd like to contribute to this library, please read the contributing guide to learn more about how to build and test the code.
FAQs
Isomorphic client library for Azure KeyVault's secrets.
We found that @azure/keyvault-secrets demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Members Hub is conducting large-scale campaigns to artificially boost Discord server metrics, undermining community trust and platform integrity.
Security News
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.