Package com.azure.security.keyvault.secrets

package com.azure.security.keyvault.secrets

Azure Key Vault is a cloud-based service provided by Microsoft Azure that allows users to store, manage, and access secrets, such as passwords, certificates, and other sensitive information, securely in the cloud. The service provides a centralized and secure location for storing secrets, which can be accessed by authorized applications and users with appropriate permissions. Azure Key Vault Secrets offers several key features, including:

  • Secret management: It allows users to store, manage, and access secrets securely, and provides features such as versioning, backup, and restoration.
  • Access control: It offers role-based access control (RBAC) and enables users to grant specific permissions to access secrets to other users, applications, or services.
  • Integration with other Azure services: Azure Key Vault Secrets can be integrated with other Azure services, such as Azure App Service, Azure Functions, and Azure Virtual Machines, to simplify the process of securing sensitive information.
  • High availability and scalability: The service is designed to provide high availability and scalability, with the ability to handle large volumes of secrets and requests.

The Azure Key Vault Secrets client library allows developers to interact with the Azure Key Vault service from their applications. The library provides a set of APIs that enable developers to securely store, manage, and retrieve secrets in a key vault, and supports operations such as creating, updating, deleting, and retrieving secrets.

Key Concepts:

What is a Secret Client?

The secret client performs the interactions with the Azure Key Vault service for getting, setting, updating, deleting, and listing secrets and its versions. Asynchronous (SecretAsyncClient) and synchronous (SecretClient) clients exist in the SDK allowing for selection of a client based on an application's use case. Once you've initialized a secret, you can interact with the primary resource types in Key Vault.

What is an Azure Key Vault Secret ?

A secret is the fundamental resource within Azure Key Vault. From a developer's perspective, Key Vault APIs accept and return secret values as strings. In addition to the secret data, the following attributes may be specified:

  1. enabled: Specifies whether the secret data can be retrieved.
  2. notBefore: Identifies the time after which the secret will be active.
  3. expires: Identifies the expiration time on or after which the secret data should not be retrieved.
  4. created: Indicates when this version of the secret was created.
  5. updated: Indicates when this version of the secret was updated.

Getting Started

In order to interact with the Azure Key Vault service, you will need to create an instance of the SecretClient or SecretAsyncClient class, a vault url and a credential object.

The examples shown in this document use a credential object named DefaultAzureCredential for authentication, which is appropriate for most scenarios, including local development and production environments. Additionally, we recommend using a managed identity for authentication in production environments. You can find more information on different ways of authenticating and their corresponding credential types in the Azure Identity documentation".

Sample: Construct Synchronous Secret Client

The following code sample demonstrates the creation of a SecretClient, using the SecretClientBuilder to configure it.

 SecretClient secretClient = new SecretClientBuilder()
     .credential(new DefaultAzureCredentialBuilder().build())
     .vaultUrl("<your-key-vault-url>")
     .buildClient();

Sample: Construct Asynchronous Secret Client

The following code sample demonstrates the creation of a SecretAsyncClient, using the SecretClientBuilder to configure it.

 SecretAsyncClient secretAsyncClient = new SecretClientBuilder()
     .credential(new DefaultAzureCredentialBuilder().build())
     .vaultUrl("<your-key-vault-url>")
     .buildAsyncClient();

Create a Secret

The SecretClient or SecretAsyncClient can be used to create a secret in the key vault.

Synchronous Code Sample:

The following code sample demonstrates how to synchronously create and store a secret in the key vault, using the SecretClient.setSecret(java.lang.String, java.lang.String) API. 

 KeyVaultSecret secret = secretClient.setSecret("secretName", "secretValue");
 System.out.printf("Secret is created with name %s and value %s%n", secret.getName(), secret.getValue());

Asynchronous Code Sample:

The following code sample demonstrates how to asynchronously create and store a secret in the key vault, using the SecretAsyncClient.

Note: For the asynchronous sample, refer to SecretAsyncClient.

Get a Secret

The SecretClient or SecretAsyncClient can be used to retrieve a secret from the key vault.

Synchronous Code Sample:

The following code sample demonstrates how to synchronously retrieve a previously stored secret from the key vault, using the SecretClient.getSecret(java.lang.String) API.

 KeyVaultSecret secret = secretClient.getSecret("secretName");
 System.out.printf("Secret is returned with name %s and value %s%n",
     secret.getName(), secret.getValue());

Note: For the asynchronous sample, refer to SecretAsyncClient.

Delete a Secret

The SecretClient or SecretAsyncClient can be used to delete a secret from the key vault.

Synchronous Code Sample:

The following code sample demonstrates how to synchronously delete a secret from the key vault, using the SecretClient.beginDeleteSecret(java.lang.String) API. 

 SyncPoller<DeletedSecret, Void> deleteSecretPoller = secretClient.beginDeleteSecret("secretName");

 // Deleted Secret is accessible as soon as polling begins.
 PollResponse<DeletedSecret> deleteSecretPollResponse = deleteSecretPoller.poll();

 // Deletion date only works for a SoftDelete-enabled Key Vault.
 System.out.println("Deleted Date  %s" + deleteSecretPollResponse.getValue()
     .getDeletedOn().toString());
 System.out.printf("Deleted Secret's Recovery Id %s", deleteSecretPollResponse.getValue()
     .getRecoveryId());

 // Secret is being deleted on server.
 deleteSecretPoller.waitForCompletion();

Note: For the asynchronous sample, refer to SecretAsyncClient.

See Also: