Azure SDK for JavaScript - Key Vault Documentation

Introduction to Azure Key Vault SDK for JavaScript

The Azure Key Vault SDK for JavaScript provides a convenient way for developers to interact with Azure Key Vault, a cloud service that enables you to safeguard cryptographic keys, secrets, and certificates. This SDK allows you to securely store and manage sensitive information, integrate with Azure Active Directory for authentication, and perform cryptographic operations.

Key Vault helps you protect your data and applications by providing:

Key Management: Create, import, use, and manage cryptographic keys.
Secret Management: Store and access sensitive information like API keys, connection strings, and passwords.
Certificate Management: Provision, manage, and deploy transport layer security (TLS/SSL) certificates.

Installation

You can install the Azure Key Vault client library for JavaScript using npm or yarn:


npm install @azure/keyvault-keys @azure/keyvault-secrets @azure/keyvault-certificates

Or with yarn:


yarn add @azure/keyvault-keys @azure/keyvault-secrets @azure/keyvault-certificates

Authentication

To authenticate with Azure Key Vault, you typically use the DefaultAzureCredential from the @azure/identity package. This credential provider checks for environment variables, managed identity, and other authentication methods.

Example:


import { DefaultAzureCredential } from "@azure/identity";
import { SecretClient } from "@azure/keyvault-secrets";

const credential = new DefaultAzureCredential();
const vaultUrl = "https://your-keyvault-name.vault.azure.net/";

const client = new SecretClient(vaultUrl, credential);

Key Management

Manage cryptographic keys within your Azure Key Vault.

Creating a Key

You can create a new key (e.g., an RSA key) in Key Vault.

Example:


import { KeyClient } from "@azure/keyvault-keys";
import { DefaultAzureCredential } from "@azure/identity";

const credential = new DefaultAzureCredential();
const vaultUrl = "https://your-keyvault-name.vault.azure.net/";
const client = new KeyClient(vaultUrl, credential);

async function createRsaKey() {
  const keyName = "myNewRsaKey";
  const result = await client.createRsaKey(keyName, {
    keySize: 2048,
    hsm: false
  });
  console.log("Key created:", result);
}

createRsaKey().catch(console.error);

Retrieving a Key

Fetch an existing key from your Key Vault.

Example:


import { KeyClient } from "@azure/keyvault-keys";
import { DefaultAzureCredential } from "@azure/identity";

const credential = new DefaultAzureCredential();
const vaultUrl = "https://your-keyvault-name.vault.azure.net/";
const client = new KeyClient(vaultUrl, credential);

async function getKey() {
  const keyName = "myNewRsaKey";
  const key = await client.getKey(keyName);
  console.log("Retrieved key:", key);
}

getKey().catch(console.error);

Deleting a Key

Remove a key from Key Vault. Note that deletion can often be recovered if soft-delete is enabled.

Example:


import { KeyClient } from "@azure/keyvault-keys";
import { DefaultAzureCredential } from "@azure/identity";

const credential = new DefaultAzureCredential();
const vaultUrl = "https://your-keyvault-name.vault.azure.net/";
const client = new KeyClient(vaultUrl, credential);

async function deleteKey() {
  const keyName = "myNewRsaKey";
  const result = await client.beginDeleteKey(keyName);
  console.log("Deletion operation started.");
  // You might want to poll for completion if needed
}

deleteKey().catch(console.error);

Secret Management

Securely store and retrieve secrets.

Setting a Secret

Store a new secret or update an existing one.

Example:


import { SecretClient } from "@azure/keyvault-secrets";
import { DefaultAzureCredential } from "@azure/identity";

const credential = new DefaultAzureCredential();
const vaultUrl = "https://your-keyvault-name.vault.azure.net/";
const client = new SecretClient(vaultUrl, credential);

async function setSecretValue() {
  const secretName = "myApiSecret";
  const secretValue = "thisIsMySuperSecretValue";
  const result = await client.setSecret(secretName, secretValue);
  console.log("Secret set:", result);
}

setSecretValue().catch(console.error);

Retrieving a Secret

Fetch the value of a secret.

Example:


import { SecretClient } from "@azure/keyvault-secrets";
import { DefaultAzureCredential } from "@azure/identity";

const credential = new DefaultAzureCredential();
const vaultUrl = "https://your-keyvault-name.vault.azure.net/";
const client = new SecretClient(vaultUrl, credential);

async function getSecretValue() {
  const secretName = "myApiSecret";
  const secret = await client.getSecret(secretName);
  console.log("Secret value:", secret.value);
}

getSecretValue().catch(console.error);

Deleting a Secret

Remove a secret from Key Vault.

Example:


import { SecretClient } from "@azure/keyvault-secrets";
import { DefaultAzureCredential } from "@azure/identity";

const credential = new DefaultAzureCredential();
const vaultUrl = "https://your-keyvault-name.vault.azure.net/";
const client = new SecretClient(vaultUrl, credential);

async function deleteSecret() {
  const secretName = "myApiSecret";
  const result = await client.beginDeleteSecret(secretName);
  console.log("Deletion operation started.");
  // You might want to poll for completion if needed
}

deleteSecret().catch(console.error);

Certificate Management

Manage TLS/SSL certificates.

Importing a Certificate

Import an existing certificate into Key Vault.

Example:


import { CertificateClient } from "@azure/keyvault-certificates";
import { DefaultAzureCredential } from "@azure/identity";
import * as fs from "fs";

const credential = new DefaultAzureCredential();
const vaultUrl = "https://your-keyvault-name.vault.azure.net/";
const client = new CertificateClient(vaultUrl, credential);

async function importCertificate() {
  const certificateName = "myTlsCertificate";
  const certificateContents = fs.readFileSync("./path/to/your/certificate.pfx");
  const password = "your-certificate-password";

  const result = await client.importCertificate(certificateName, certificateContents, {
    password: password
  });
  console.log("Certificate imported:", result);
}

// importCertificate().catch(console.error); // Uncomment to run

Retrieving a Certificate

Fetch a certificate from Key Vault.

Example:


import { CertificateClient } from "@azure/keyvault-certificates";
import { DefaultAzureCredential } from "@azure/identity";

const credential = new DefaultAzureCredential();
const vaultUrl = "https://your-keyvault-name.vault.azure.net/";
const client = new CertificateClient(vaultUrl, credential);

async function getCertificate() {
  const certificateName = "myTlsCertificate";
  const certificate = await client.getCertificate(certificateName);
  console.log("Retrieved certificate:", certificate);
}

getCertificate().catch(console.error);

Common Usage Patterns

Here are some common scenarios for using the Azure Key Vault SDK:

Securely accessing database connection strings: Store your connection strings as secrets and retrieve them at runtime.
Managing API keys for external services: Keep your API keys safe in Key Vault instead of hardcoding them in your application.
Rotating secrets: Implement automated secret rotation by using the SDK to update secrets periodically.
Performing cryptographic operations: Use keys stored in Key Vault for signing, encryption, and decryption without exposing the key material.