Tutorial: Use Azure Key Vault with a virtual machine in .NET

Azure Key Vault helps you to protect secrets such as API keys, the database connection strings you need to access your applications, services, and IT resources.

In this tutorial, you learn how to get a console application to read information from Azure Key Vault. Application would use virtual machine managed identity to authenticate to Key Vault.

The tutorial shows you how to:

  • Create a resource group.
  • Create a key vault.
  • Add a secret to the key vault.
  • Retrieve a secret from the key vault.
  • Create an Azure virtual machine.
  • Enable a managed identity for the Virtual Machine.
  • Assign permissions to the VM identity.

Before you begin, read Key Vault basic concepts.

If you don't have an Azure subscription, create a free account.


For Windows, Mac, and Linux:

Create resources and assign permissions

Before you start coding you need to create some resources, put a secret into your key vault, and assign permissions.

Sign in to Azure

To sign in to Azure by using following command:

az login

Create a resource group and key vault

This quickstart uses a pre-created Azure key vault. You can create a key vault by following the steps in the Azure CLI quickstart, Azure PowerShell quickstart, or Azure portal quickstart.

Alternatively, you can simply run the Azure CLI or Azure PowerShell commands below.


Each key vault must have a unique name. Replace <your-unique-keyvault-name> with the name of your key vault in the following examples.

az group create --name "myResourceGroup" -l "EastUS"

az keyvault create --name "<your-unique-keyvault-name>" -g "myResourceGroup"

Populate your key vault with a secret

Let's create a secret called mySecret, with a value of Success!. A secret might be a password, a SQL connection string, or any other information that you need to keep both secure and available to your application.

To add a secret to your newly created key vault, use the following command:

az keyvault secret set --vault-name "<your-unique-keyvault-name>" --name "mySecret" --value "Success!"

Create a virtual machine

Create a Windows or Linux virtual machine using one of the following methods:

Windows Linux
Azure CLI Azure CLI
PowerShell PowerShell
Azure portal Azure portal

Assign an identity to the VM

Create a system-assigned identity for the virtual machine with the following example:

az vm identity assign --name <NameOfYourVirtualMachine> --resource-group <YourResourceGroupName>

Note the system-assigned identity that's displayed in the following code. The output of the preceding command would be:

  "systemAssignedIdentity": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "userAssignedIdentities": {}

Assign permissions to the VM identity

Assign the previously created identity permissions to your key vault with the az keyvault set-policy command:

az keyvault set-policy --name '<your-unique-key-vault-name>' --object-id <VMSystemAssignedIdentity> --secret-permissions  get list set delete

Sign in to the virtual machine

To sign in to the virtual machine, follow the instructions in Connect and sign in to an Azure Windows virtual machine or Connect and sign in to an Azure Linux virtual machine.

Set up the console app

Create a console app and install the required packages using the dotnet command.

Install .NET Core

To install .NET Core, go to the .NET downloads page.

Create and run a sample .NET app

Open a command prompt.

You can print "Hello World" to the console by running the following commands:

dotnet new console -n keyvault-console-app
cd keyvault-console-app
dotnet run

Install the package

From the console window, install the Azure Key Vault Secrets client library for .NET:

dotnet add package Azure.Security.KeyVault.Secrets

For this quickstart, you will need to install the following identity package to authenticate to Azure Key Vault:

dotnet add package Azure.Identity

Edit the console app

Open the Program.cs file and add these packages:

using System;
using Azure.Core;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

Add these lines, updating the URI to reflect the vaultUri of your key vault. Below code is using 'DefaultAzureCredential()' for authentication to key vault, which is using token from application managed identity to authenticate. It is also using exponential backoff for retries in case of key vault is being throttled.

  class Program
        static void Main(string[] args)
            string secretName = "mySecret";
            string keyVaultName = "<your-key-vault-name>";
            var kvUri = "https://<your-key-vault-name>.vault.azure.net";
            SecretClientOptions options = new SecretClientOptions()
                Retry =
                    Delay= TimeSpan.FromSeconds(2),
                    MaxDelay = TimeSpan.FromSeconds(16),
                    MaxRetries = 5,
                    Mode = RetryMode.Exponential

            var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential(),options);

            Console.Write("Input the value of your secret > ");
            string secretValue = Console.ReadLine();

            Console.Write("Creating a secret in " + keyVaultName + " called '" + secretName + "' with the value '" + secretValue + "' ...");

            client.SetSecret(secretName, secretValue);

            Console.WriteLine(" done.");

            Console.WriteLine("Forgetting your secret.");
            secretValue = "";
            Console.WriteLine("Your secret is '" + secretValue + "'.");

            Console.WriteLine("Retrieving your secret from " + keyVaultName + ".");

            KeyVaultSecret secret = client.GetSecret(secretName);

            Console.WriteLine("Your secret is '" + secret.Value + "'.");

            Console.Write("Deleting your secret from " + keyVaultName + " ...");


            Console.WriteLine(" done.");


Clean up resources

When they are no longer needed, delete the virtual machine and your key vault.

Next steps