Get started with Azure Key Vault secrets in JavaScript
This article shows you how to connect to Azure Key Vault by using the Azure Key Vault secrets client library for JavaScript. Once connected, your code can operate on secrets and secret properties in the vault.
API reference | Package (npm) | Library source code | Samples | Give feedback
Prerequisites
- An Azure subscription - create one for free.
- Azure Key Vault instance. Review the access policies on your Key Vault to include the permissions necessary for the specific tasks performed in code.
- Node.js version LTS
Set up your project
Open a command prompt and change into your project folder. Change
YOUR-DIRECTORY
to your folder name:cd YOUR-DIRECTORY
If you don't have a
package.json
file already in your directory, initialize the project to create the file:npm init -y
Install the Azure Key Vault secrets client library for JavaScript:
npm install @azure/keyvault-secrets
If you want to use passwordless connections using Microsoft Entra ID, install the Azure Identity client library for JavaScript:
npm install @azure/identity
Authorize access and connect to Key Vault
Microsoft Entra ID provides the most secure connection by managing the connection identity (managed identity). This passwordless functionality allows you to develop an application that doesn't require any secrets (keys or connection strings) stored in the code.
Before programmatically authenticating to Azure to use Azure Key Vault secrets, make sure you set up your environment.
Build your application
As you build your application, your code interacts with two types of resources:
- KeyVaultSecret, which includes:
- Secret name, a string value.
- Secret value, which is a string of the secret. You provide the serialization and deserialization of the secret value into and out of a string as needed.
- Secret properties.
- SecretProperties, which include the secret's metadata, such as its name, version, tags, expiration data, and whether it's enabled.
If you need the value of the KeyVaultSecret, use methods that return the KeyVaultSecret:
The rest of the methods return the SecretProperties object or another form of the properties such as:
- DeletedSecret properties
Create a SecretClient object
The SecretClient object is the top object in the SDK. This client allows you to manipulate the secrets.
Once your Azure Key Vault access roles and your local environment are set up, create a JavaScript file, which includes the @azure/identity package. Create a credential, such as the DefaultAzureCredential, to implement passwordless connections to your vault. Use that credential to authenticate with a SecretClient object.
// Include required dependencies
import { DefaultAzureCredential } from '@azure/identity';
import { SecretClient } from '@azure/keyvault-secrets';
// Authenticate to Azure
const credential = new DefaultAzureCredential();
// Create SecretClient
const vaultName = '<your-vault-name>';
const url = `https://${vaultName}.vault.azure.net`;
const client = new SecretClient(url, credential);
// Get secret
const secret = await client.getSecret("MySecretName");