Quickstart: Azure Key Vault keys client library for Go
In this quickstart, you'll learn to use the Azure SDK for Go to create, retrieve, update, list, and delete Azure Key Vault keys.
Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault, you may review the Overview.
Follow this guide to learn how to use the azkeys package to manage your Azure Key Vault keys using Go.
Prerequisites
- An Azure subscription - Create a trial subscription.
- Go installed: Version 1.18 or above
- Azure CLI
Sign in to the Azure portal
In the Azure CLI, run the following command:
az cloud set -n AzureChinaCloud az login # az cloud set -n AzureCloud //means return to Public Azure.
Create a new resource group.
az group create --name quickstart-rg --location chinaeast
Deploy a new key vault instance.
az keyvault create --name <keyVaultName> --resource-group quickstart-rg
Replace
<keyVaultName>
with a name that's unique across all of Azure. You typically use your personal or company name along with other numbers and identifiers.Create a new Go module and install packages
go mod init quickstart-keys go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity go get -u github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys
Create the sample code
Create a file named main.go and copy the following code into the file:
package main
import (
"context"
"fmt"
"log"
"os"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
)
func main() {
keyVaultName := os.Getenv("KEY_VAULT_NAME")
keyVaultUrl := fmt.Sprintf("https://%s.vault.azure.cn/", keyVaultName)
// create credential
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
// create azkeys client
client, err := azkeys.NewClient(keyVaultUrl, cred, nil)
if err != nil {
log.Fatal(err)
}
// create RSA Key
rsaKeyParams := azkeys.CreateKeyParameters{
Kty: to.Ptr(azkeys.JSONWebKeyTypeRSA),
KeySize: to.Ptr(int32(2048)),
}
rsaResp, err := client.CreateKey(context.TODO(), "new-rsa-key", rsaKeyParams, nil)
if err != nil {
log.Fatalf("failed to create rsa key: %v", err)
}
fmt.Printf("New RSA key ID: %s\n", *rsaResp.Key.KID)
// create EC Key
ecKeyParams := azkeys.CreateKeyParameters{
Kty: to.Ptr(azkeys.JSONWebKeyTypeEC),
Curve: to.Ptr(azkeys.JSONWebKeyCurveNameP256),
}
ecResp, err := client.CreateKey(context.TODO(), "new-ec-key", ecKeyParams, nil)
if err != nil {
log.Fatalf("failed to create ec key: %v", err)
}
fmt.Printf("New EC key ID: %s\n", *ecResp.Key.KID)
// list all vault keys
fmt.Println("List all vault keys:")
pager := client.NewListKeysPager(nil)
for pager.More() {
page, err := pager.NextPage(context.TODO())
if err != nil {
log.Fatal(err)
}
for _, key := range page.Value {
fmt.Println(*key.KID)
}
}
// update key properties to disable key
updateParams := azkeys.UpdateKeyParameters{
KeyAttributes: &azkeys.KeyAttributes{
Enabled: to.Ptr(false),
},
}
// an empty string version updates the latest version of the key
version := ""
updateResp, err := client.UpdateKey(context.TODO(), "new-rsa-key", version, updateParams, nil)
if err != nil {
panic(err)
}
fmt.Printf("Key %s Enabled attribute set to: %t\n", *updateResp.Key.KID, *updateResp.Attributes.Enabled)
// delete the created keys
for _, keyName := range []string{"new-rsa-key", "new-ec-key"} {
// DeleteKey returns when Key Vault has begun deleting the key. That can take several
// seconds to complete, so it may be necessary to wait before performing other operations
// on the deleted key.
delResp, err := client.DeleteKey(context.TODO(), keyName, nil)
if err != nil {
panic(err)
}
fmt.Printf("Successfully deleted key %s", *delResp.Key.KID)
}
}
Run the code
Before you run the code, create an environment variable named KEY_VAULT_NAME. Set the environment variable's value to the name of the Azure Key Vault created previously.
export KEY_VAULT_NAME=quickstart-kv
Next, run the following go run
command to run the app:
go run main.go
Key ID: https://quickstart-kv.vault.azure.cn/keys/new-rsa-key4/f78fe1f34b064934bac86cc8c66a75c3: Key Type: RSA
Key ID: https://quickstart-kv.vault.azure.cn/keys/new-ec-key2/10e2cec51d1749c0a26aab784808cfaf: Key Type: EC
List all vault keys:
https://quickstart-kv.vault.azure.cn/keys/new-ec-key
https://quickstart-kv.vault.azure.cn/keys/new-ec-key1
https://quickstart-kv.vault.azure.cn/keys/new-ec-key2
https://quickstart-kv.vault.azure.cn/keys/new-rsa-key4
Enabled set to: false
Successfully deleted key https://quickstart-kv.vault.azure.cn/keys/new-rsa-key4/f78fe1f34b064934bac86cc8c66a75c3
Note
The output is for informational purposes only. Your return values may vary based on your Azure subscription and Azure Key Vault.
Code examples
See the module documentation for more examples.
Clean up resources
Run the following command to delete the resource group and all its remaining resources:
az group delete --resource-group quickstart-rg