Get started with Azure Key Vault secrets in JavaScript

This article shows you how to connect to Azure Key Vault by using the Azure Key Vault secrets client library for JavaScript. Once connected, your code can operate on secrets and secret properties in the vault.

API reference | Package (npm) | Library source code | Samples | Give feedback


Set up your project

  1. Open a command prompt and change into your project folder. Change YOUR-DIRECTORY to your folder name:

  2. If you don't have a package.json file already in your directory, initialize the project to create the file:

    npm init -y
  3. Install the Azure Key Vault secrets client library for JavaScript:

    npm install @azure/keyvault-secrets
  4. If you want to use passwordless connections using Microsoft Entra ID, install the Azure Identity client library for JavaScript:

    npm install @azure/identity

Authorize access and connect to Key Vault

Microsoft Entra ID provides the most secure connection by managing the connection identity (managed identity). This passwordless functionality allows you to develop an application that doesn't require any secrets (keys or connection strings) stored in the code.

Before programmatically authenticating to Azure to use Azure Key Vault secrets, make sure you set up your environment.

Diagram of Azure SDK for JavaScript credential flow.

A developer should install Azure CLI and sign in interactively with the az login command to log in to Azure before use the DefaultAzureCredential in code.

az login

Build your application

As you build your application, your code interacts with two types of resources:

  • KeyVaultSecret, which includes:
    • Secret name, a string value.
    • Secret value, which is a string of the secret. You provide the serialization and deserialization of the secret value into and out of a string as needed.
    • Secret properties.
  • SecretProperties, which include the secret's metadata, such as its name, version, tags, expiration data, and whether it's enabled.

If you need the value of the KeyVaultSecret, use methods that return the KeyVaultSecret:

The rest of the methods return the SecretProperties object or another form of the properties such as:

Create a SecretClient object

The SecretClient object is the top object in the SDK. This client allows you to manipulate the secrets.

Once your Azure Key Vault access roles and your local environment are set up, create a JavaScript file, which includes the @azure/identity package. Create a credential, such as the DefaultAzureCredential, to implement passwordless connections to your vault. Use that credential to authenticate with a SecretClient object.

// Include required dependencies
import { DefaultAzureCredential } from '@azure/identity';  
import { SecretClient } from '@azure/keyvault-secrets';  

// Authenticate to Azure
const credential = new DefaultAzureCredential(); 

// Create SecretClient
const vaultName = '<your-vault-name>';  
const url = `https://${vaultName}`;  
const client = new SecretClient(url, credential);  

// Get secret
const secret = await client.getSecret("MySecretName");

See also

Next steps