Azure Key Vault Developer's Guide

Key Vault allows you to securely access sensitive information from within your applications:

  • Keys, secrets, and certificates are protected without having to write the code yourself and you're easily able to use them from your applications.
  • You allow customers to own and manage their own keys, secrets, and certificates so you can concentrate on providing the core software features. In this way, your applications will not own the responsibility or potential liability for your customers' tenant keys, secrets, and certificates.
  • Your application can use keys for signing and encryption yet keeps the key management external from your application. For more information about keys, see About Keys
  • You can manage credentials like passwords, access keys,sas tokens storing them in Key Vault as secrets, see About Secrets
  • Manage certificates. For more information, see About Certificates

For more general information on Azure Key Vault, see What is Key Vault.

Public Previews

Periodically, we release a public preview of a new Key Vault feature. Try out public preview features and let us know what you think via azurekeyvault@microsoft.com, our feedback email address.

Creating and Managing Key Vaults

Key Vault management, similar to other Azure services, is done through Azure Resource Manager service. Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. For more information, see Azure Resource Manager

Access to management layer is controlled by Azure role-based access control. In Key Vault, management layer, also known as management or control plane, let you create and manage Key Vaults and its attributes including access policies, but not keys, secrets and certificates, which are managed on data plane. You can use pre-defined Key Vault Contributor role to grant management access to Key Vault.

API's and SDKs for key vault management:

Azure CLI PowerShell REST API Resource Manager .NET Python Java JavaScript
Reference
Quickstart
Reference
Quickstart
Reference Reference Reference Reference Reference Reference

See Client Libraries for installation packages and source code.

For more information about Key Vault management plane, see Key Vault Management Plane

Authenticate to Key Vault in code

Key Vault is using Azure AD authentication that requires Azure AD security principal to grant access. An Azure AD security principal may be a user, an application service principal, a managed identity for Azure resources, or a group of any type of security principals.

Authentication best practices

It is recommended to use managed identity for applications deployed to Azure. If you use Azure services, which do not support managed identity or if applications are deployed on premise, service principal with a certificate is a possible alternative. In that scenario, certificate should be stored in Key Vault and rotated often. Service principal with secret can be used for development and testing environments, and locally or in Cloud Shell using user principal is recommended.

Recommended security principals per environment:

  • Production environment:
    • Managed identity or service principal with a certificate
  • Test and development environments:
    • Managed identity, service principal with certificate or service principal with secret
  • Local development:
    • User principal or service principal with secret

Above authentications scenarios are supported by Azure Identity client library and integrated with Key Vault SDKs. Azure Identity library can be used across different environments and platforms without changing your code. Azure Identity would also automatically retrieve authentication token from logged in to Azure user with Azure CLI, Visual Studio, Visual Studio Code, and others.

For more information about Azure Identity client libarary, see:

Azure Identity client libraries

.NET Python Java JavaScript
Azure Identity SDK .NET Azure Identity SDK Python Azure Identity SDK Java Azure Identity SDK JavaScript

For tutorials on how to authenticate to Key Vault in applications, see:

Manage keys, certificates, and secrets

Access to keys, secrets, and certificates is controlled by data plane. Data plane access control can be done using local vault access policies or RBAC (preview).

Keys APIs and SDKs

Azure CLI PowerShell REST API Resource Manager .NET Python Java JavaScript
Reference
Quickstart
Reference
Quickstart
Reference N/A Reference Reference
Quickstart
Reference Reference

Certificates APIs and SDKs

Azure CLI PowerShell REST API Resource Manager .NET Python Java JavaScript
Reference
Quickstart
Reference
Quickstart
Reference N/A Reference Reference
Quickstart
Reference Reference

Secrets APIs and SDKs

Azure CLI PowerShell REST API Resource Manager .NET Python Java JavaScript
Reference
Quickstart
Reference
Quickstart
Reference Reference
Quickstart
Reference
Quickstart
Reference
Quickstart
Reference
Quickstart
Reference
Quickstart

See Client Libraries for installation packages and source code.

For more information about Key Vault data plane security, see Key Vault Data Plane and access policies and Key Vault Data Plane and RBAC(preview)

Code examples

For complete examples using Key Vault with your applications, see:

How-tos

The following articles and scenarios provide task-specific guidance for working with Azure Key Vault:

Integrated with Key Vault

These articles are about other scenarios and services that use or integrate with Key Vault.

  • Encryption at rest allows the encoding (encryption) of data when it is persisted. Data encryption keys are often encrypted with a key encryption key in Azure Key Vault to further limit access.
  • Azure Information Protection allows you to manager your own tenant key. For example, instead of Microsoft managing your tenant key (the default), you can manage your own tenant key to comply with specific regulations that apply to your organization. Managing your own tenant key is also referred to as bring your own key, or BYOK.
  • Azure Private Link Service enables you to access Azure Services (for example, Azure Key Vault, Azure Storage, and Azure Cosmos DB) and Azure hosted customer/partner services over a Private Endpoint in your virtual network.
  • Key Vault integration with Event Grid allows users to be notified when the status of a secret stored in key vault has changed. You can distribute new version of secrets to applications or rotate near expiry secrets to prevent outages.
  • You can protect your Azure Devops secrets from unwanted access in Key Vault.
  • Use secret stored in Key Vault in DataBricks to connect to Azure Storage
  • Configure and run the Azure Key Vault provider for the Secrets Store CSI driver on Kubernetes

Key Vault overviews and concepts

Social