Get started with Azure Key Vault secrets in JavaScript

This article shows you how to connect to Azure Key Vault by using the Azure Key Vault secrets client library for JavaScript. Once connected, your code can operate on secrets and secret properties in the vault.

API reference | Package (npm) | Library source code | Samples | Give feedback

Prerequisites

• An Azure subscription - create one for free.
• Azure Key Vault instance. Review the access policies on your Key Vault to include the permissions necessary for the specific tasks performed in code.
• Node.js version LTS

Set up your project

1. Open a command prompt and change into your project folder. Change YOUR-DIRECTORY to your folder name:

   cd YOUR-DIRECTORY
   

2. If you don't have a package.json file already in your directory, initialize the project to create the file:

   npm init -y
   

3. Install the Azure Key Vault secrets client library for JavaScript:

   npm install @azure/keyvault-secrets
   

4. If you want to use passwordless connections using Microsoft Entra ID, install the Azure Identity client library for JavaScript:

   npm install @azure/identity
   

Authorize access and connect to Key Vault

Microsoft Entra ID provides the most secure connection by managing the connection identity (managed identity). This passwordless functionality allows you to develop an application that doesn't require any secrets (keys or connection strings) stored in the code.

Before programmatically authenticating to Azure to use Azure Key Vault secrets, make sure you set up your environment.

Developer authentication

Bash

A developer should install Azure CLI and sign in interactively with the az login command to log in to Azure before use the DefaultAzureCredential in code.

az login

PowerShell

To authenticate with Azure PowerShell users can run the Connect-AzAccount cmdlet. By default, like the Azure CLI, Connect-AzAccount will launch the default web browser to authenticate a user account.

Connect-AzAccount

Visual Studio Code

If you're using Visual Studio Code, you can also sign in to Azure with the Azure Account extension.

Production authentication

Use the DefaultAzureCredential in production based on the credential mechanisms.

Build your application

As you build your application, your code interacts with two types of resources:

• KeyVaultSecret, which includes:
  • Secret name, a string value.
  • Secret value, which is a string of the secret. You provide the serialization and deserialization of the secret value into and out of a string as needed.
  • Secret properties.
• SecretProperties, which include the secret's metadata, such as its name, version, tags, expiration data, and whether it's enabled.

If you need the value of the KeyVaultSecret, use methods that return the KeyVaultSecret:

• getSecret
• setSecret

The rest of the methods return the SecretProperties object or another form of the properties such as:

• DeletedSecret properties

Create a SecretClient object

The SecretClient object is the top object in the SDK. This client allows you to manipulate the secrets.

Once your Azure Key Vault access roles and your local environment are set up, create a JavaScript file, which includes the @azure/identity package. Create a credential, such as the DefaultAzureCredential, to implement passwordless connections to your vault. Use that credential to authenticate with a SecretClient object.

// Include required dependencies
import { DefaultAzureCredential } from '@azure/identity';  
import { SecretClient } from '@azure/keyvault-secrets';  

// Authenticate to Azure
const credential = new DefaultAzureCredential(); 

// Create SecretClient
const vaultName = '<your-vault-name>';  
const url = `https://${vaultName}.vault.azure.net`;  
const client = new SecretClient(url, credential);  

// Get secret
const secret = await client.getSecret("MySecretName");

See also

• Package (npm)
• Samples
• API reference
• Library source code
• Give Feedback

Next steps

• Add a secret