Quickstart: Manage secrets by using the Azure Key Vault Go client library
Article
In this quickstart, you'll learn how to use the Azure SDK for Go to create, retrieve, list, and delete secrets from an Azure key vault.
You can store a variety of object types in an Azure key vault. When you store secrets in a key vault, you avoid having to store them in your code, which helps improve the security of your applications.
Get started with the azsecrets package and learn how to manage your secrets in an Azure key vault by using Go.
Prerequisites
An Azure subscription. If you don't already have a subscription, you can create one for free.
az role assignment create --role"Key Vault Secrets Officer"--assignee"<upn>"--scope"/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
Replace <upn>, <subscription-id>, <resource-group-name> and <your-unique-keyvault-name> with your actual values. Your UPN will typically be in the format of an email address (e.g., username@domain.com).
Create a new Go module and install packages
Run the following Go commands:
Azure CLI
go mod init kvSecrets
go get -u github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets
go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity
Sample code
Create a file named main.go, and then paste the following code into it:
Go
package main
import (
"context""fmt""log""os""github.com/Azure/azure-sdk-for-go/sdk/azidentity""github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
)
funcmain() {
mySecretName := "secretName01"
mySecretValue := "secretValue"
vaultURI := fmt.Sprintf("https://%s.vault.azure.net/", os.Getenv("KEY_VAULT_NAME"))
// Create a credential using the NewDefaultAzureCredential type.
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
// Establish a connection to the Key Vault client
client, err := azsecrets.NewClient(vaultURI, cred, nil)
// Create a secret
params := azsecrets.SetSecretParameters{Value: &mySecretValue}
_, err = client.SetSecret(context.TODO(), mySecretName, params, nil)
if err != nil {
log.Fatalf("failed to create a secret: %v", err)
}
// Get a secret. An empty string version gets the latest version of the secret.
version := ""
resp, err := client.GetSecret(context.TODO(), mySecretName, version, nil)
if err != nil {
log.Fatalf("failed to get the secret: %v", err)
}
fmt.Printf("secretValue: %s\n", *resp.Value)
// List secrets
pager := client.NewListSecretsPager(nil)
for pager.More() {
page, err := pager.NextPage(context.TODO())
if err != nil {
log.Fatal(err)
}
for _, secret := range page.Value {
fmt.Printf("Secret ID: %s\n", *secret.ID)
}
}
// Delete a secret. DeleteSecret returns when Key Vault has begun deleting the secret.// That can take several seconds to complete, so it may be necessary to wait before// performing other operations on the deleted secret.
delResp, err := client.DeleteSecret(context.TODO(), mySecretName, nil)
if err != nil {
log.Fatalf("failed to delete secret: %v", err)
}
fmt.Println(delResp.ID.Name() + " has been deleted")
}
Run the code
Before you run the code, create an environment variable named KEY_VAULT_NAME. Set the environment variable value to the name of the key vault that you created previously.
Azure CLI
export KEY_VAULT_NAME=quickstart-kv
To start the Go app, run the following command:
Azure CLI
go run main.go
Output
secretValue: createdWithGO
Secret ID: https://quickstart-kv.vault.azure.net/secrets/quickstart-secret
Secret ID: https://quickstart-kv.vault.azure.net/secrets/secretName
quickstart-secret has been deleted
Build end-to-end solutions in Microsoft Azure to create Azure Functions, implement and manage web apps, develop solutions utilizing Azure storage, and more.