Quickstart: Azure Key Vault key client library for JavaScript
Get started with the Azure Key Vault key client library for JavaScript. Azure Key Vault is a cloud service that provides a secure store for cryptographic keys. You can securely store keys, passwords, certificates, and other secrets. Azure key vaults may be created and managed through the Azure portal. In this quickstart, you learn how to create, retrieve, and delete keys from an Azure key vault using the JavaScript key client library.
Key Vault client library resources:
API reference documentation | Library source code | Package (npm)
For more information about Key Vault and keys, see:
Prerequisites
- An Azure subscription.
- Current Node.js LTS.
- Azure CLI
- An existing Key Vault - you can create one using:
- An Azure subscription.
- Current Node.js LTS.
- TypeScript 5+
- Azure CLI.
- An existing Key Vault - you can create one using:
This quickstart assumes you're running Azure CLI.
Sign in to Azure
Run the
login
command.az cloud set -n AzureChinaCloud az login
If the CLI can open your default browser, it will do so and load an Azure sign-in page.
Otherwise, open a browser page at https://aka.ms/deviceloginchina and enter the authorization code displayed in your terminal.
Sign in with your account credentials in the browser.
Create new Node.js application
Create a Node.js application that uses your key vault.
In a terminal, create a folder named
key-vault-node-app
and change into that folder:mkdir key-vault-node-app && cd key-vault-node-app
Initialize the Node.js project:
npm init -y
Install Key Vault packages
Using the terminal, install the Azure Key Vault secrets client library, @azure/keyvault-keys for Node.js.
npm install @azure/keyvault-keys
Install the Azure Identity client library, @azure/identity package to authenticate to a Key Vault.
npm install @azure/identity
Grant access to your key vault
To grant your application permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure CLI command az role assignment create.
az role assignment create --role "Key Vault Secrets User" --assignee "<app-id>" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
Replace <app-id>
, <subscription-id>
, <resource-group-name>
and <your-unique-keyvault-name>
with your actual values. <app-id>
is the Application (client) ID of your registered application in Azure Entra.
Set environment variables
This application is using key vault endpoint as an environment variable called KEY_VAULT_URL
.
set KEY_VAULT_URL=<your-key-vault-endpoint>
Authenticate and create a client
Application requests to most Azure services must be authorized. Using the DefaultAzureCredential method provided by the Azure Identity client library is the recommended approach for implementing passwordless connections to Azure services in your code. DefaultAzureCredential
supports multiple authentication methods and determines which method should be used at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code.
In this quickstart, DefaultAzureCredential
authenticates to key vault using the credentials of the local development user logged into the Azure CLI. When the application is deployed to Azure, the same DefaultAzureCredential
code can automatically discover and use a managed identity that is assigned to an App Service, Virtual Machine, or other services. For more information, see Managed Identity Overview.
In this code, the endpoint of your key vault is used to create the key vault client. The endpoint format looks like https://<your-key-vault-name>.vault.azure.cn
but may change for sovereign clouds. For more information about authenticating to key vault, see Developer's Guide.
Code example
The code samples below will show you how to create a client, set a secret, retrieve a secret, and delete a secret.
This code uses the following Key Vault Secret classes and methods:
Set up the app framework
Create new text file and paste the following code into the index.js file.
const { KeyClient } = require("@azure/keyvault-keys"); const { DefaultAzureCredential } = require("@azure/identity"); async function main() { // DefaultAzureCredential expects the following three environment variables: // - AZURE_TENANT_ID: The tenant ID in Microsoft Entra ID // - AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant // - AZURE_CLIENT_SECRET: The client secret for the registered application const credential = new DefaultAzureCredential(); const keyVaultUrl = process.env["KEY_VAULT_URL"]; if(!keyVaultUrl) throw new Error("KEY_VAULT_URL is empty"); const client = new KeyClient(keyVaultUrl, credential); const uniqueString = Date.now(); const keyName = `sample-key-${uniqueString}`; const ecKeyName = `sample-ec-key-${uniqueString}`; const rsaKeyName = `sample-rsa-key-${uniqueString}`; // Create key using the general method const result = await client.createKey(keyName, "EC"); console.log("key: ", result); // Create key using specialized key creation methods const ecResult = await client.createEcKey(ecKeyName, { curve: "P-256" }); const rsaResult = await client.createRsaKey(rsaKeyName, { keySize: 2048 }); console.log("Elliptic curve key: ", ecResult); console.log("RSA Key: ", rsaResult); // Get a specific key const key = await client.getKey(keyName); console.log("key: ", key); // Or list the keys we have for await (const keyProperties of client.listPropertiesOfKeys()) { const key = await client.getKey(keyProperties.name); console.log("key: ", key); } // Update the key const updatedKey = await client.updateKeyProperties(keyName, result.properties.version, { enabled: false }); console.log("updated key: ", updatedKey); // Delete the key - the key is soft-deleted but not yet purged const deletePoller = await client.beginDeleteKey(keyName); await deletePoller.pollUntilDone(); const deletedKey = await client.getDeletedKey(keyName); console.log("deleted key: ", deletedKey); // Purge the key - the key is permanently deleted // This operation could take some time to complete console.time("purge a single key"); await client.purgeDeletedKey(keyName); console.timeEnd("purge a single key"); } main().catch((error) => { console.error("An error occurred:", error); process.exit(1); });
Run the sample application
Run the app:
node index.js
The create and get methods return a full JSON object for the key:
"key": { "key": { "kid": "https://YOUR-KEY-VAULT-ENDPOINT/keys/YOUR-KEY-NAME/YOUR-KEY-VERSION", "kty": "YOUR-KEY-TYPE", "keyOps": [ ARRAY-OF-VALID-OPERATIONS ], ... other properties based on key type }, "id": "https://YOUR-KEY-VAULT-ENDPOINT/keys/YOUR-KEY-NAME/YOUR-KEY-VERSION", "name": "YOUR-KEY-NAME", "keyOperations": [ ARRAY-OF-VALID-OPERATIONS ], "keyType": "YOUR-KEY-TYPE", "properties": { "tags": undefined, "enabled": true, "notBefore": undefined, "expiresOn": undefined, "createdOn": 2021-11-29T18:29:11.000Z, "updatedOn": 2021-11-29T18:29:11.000Z, "recoverableDays": 90, "recoveryLevel": "Recoverable+Purgeable", "exportable": undefined, "releasePolicy": undefined, "vaultUrl": "https://YOUR-KEY-VAULT-ENDPOINT", "version": "YOUR-KEY-VERSION", "name": "YOUR-KEY-VAULT-NAME", "managed": undefined, "id": "https://YOUR-KEY-VAULT-ENDPOINT/keys/YOUR-KEY-NAME/YOUR-KEY-VERSION" } }
Create new text file and paste the following code into the index.ts file.
import {
KeyClient,
KeyVaultKey,
KeyProperties,
DeletedKey,
} from "@azure/keyvault-keys";
import { DefaultAzureCredential } from "@azure/identity";
import "dotenv/config";
const credential = new DefaultAzureCredential();
// Get Key Vault name from environment variables
// such as `https://${keyVaultName}.vault.azure.net`
const keyVaultUrl = process.env.KEY_VAULT_URL;
if (!keyVaultUrl) throw new Error("KEY_VAULT_URL is empty");
function printKey(keyVaultKey: KeyVaultKey): void {
const { name, key, id, keyType, keyOperations, properties } = keyVaultKey;
console.log("Key: ", { name, key, id, keyType });
const { vaultUrl, version, enabled, expiresOn }: KeyProperties = properties;
console.log("Key Properties: ", { vaultUrl, version, enabled, expiresOn });
console.log("Key Operations: ", keyOperations.join(", "));
}
async function main(): Promise<void> {
// Create a new KeyClient
const client = new KeyClient(keyVaultUrl, credential);
// Create unique key names
const uniqueString = Date.now().toString();
const keyName = `sample-key-${uniqueString}`;
const ecKeyName = `sample-ec-key-${uniqueString}`;
const rsaKeyName = `sample-rsa-key-${uniqueString}`;
// Create a EC key
const ecKey = await client.createKey(keyName, "EC");
printKey(ecKey);
// Elliptic curve key
const ec256Key = await client.createEcKey(ecKeyName, {
curve: "P-256",
});
printKey(ec256Key);
// RSA key
const rsa2048Key = await client.createRsaKey(rsaKeyName, {
keySize: 2048,
});
printKey(rsa2048Key);
// Get a key
const key = await client.getKey(keyName);
printKey(key);
// Get properties of all keys
for await (const keyProperties of client.listPropertiesOfKeys()) {
const iteratedKey = await client.getKey(keyProperties.name);
printKey(iteratedKey);
}
// Update key properties - disable key
const updatedKey = await client.updateKeyProperties(
keyName,
ecKey.properties.version,
{
enabled: false,
}
);
printKey(updatedKey);
// Delete key (without immediate purge)
const deletePoller = await client.beginDeleteKey(keyName);
await deletePoller.pollUntilDone();
// Get a deleted key
const deletedKey = await client.getDeletedKey(keyName);
console.log("deleted key: ", deletedKey.name);
// Purge a deleted key
console.time("purge a single key");
await client.purgeDeletedKey(keyName);
console.timeEnd("purge a single key");
}
main().catch((error) => {
console.error("An error occurred:", error);
process.exit(1);
});
Run the sample application
Build the TypeScript app:
tsc
Run the app:
node index.js
The create and get methods return a full JSON object for the key:
"key": { "key": { "kid": "https://YOUR-KEY-VAULT-ENDPOINT/keys/YOUR-KEY-NAME/YOUR-KEY-VERSION", "kty": "YOUR-KEY-TYPE", "keyOps": [ ARRAY-OF-VALID-OPERATIONS ], ... other properties based on key type }, "id": "https://YOUR-KEY-VAULT-ENDPOINT/keys/YOUR-KEY-NAME/YOUR-KEY-VERSION", "name": "YOUR-KEY-NAME", "keyOperations": [ ARRAY-OF-VALID-OPERATIONS ], "keyType": "YOUR-KEY-TYPE", "properties": { "tags": undefined, "enabled": true, "notBefore": undefined, "expiresOn": undefined, "createdOn": 2021-11-29T18:29:11.000Z, "updatedOn": 2021-11-29T18:29:11.000Z, "recoverableDays": 90, "recoveryLevel": "Recoverable+Purgeable", "exportable": undefined, "releasePolicy": undefined, "vaultUrl": "https://YOUR-KEY-VAULT-ENDPOINT", "version": "YOUR-KEY-VERSION", "name": "YOUR-KEY-VAULT-NAME", "managed": undefined, "id": "https://YOUR-KEY-VAULT-ENDPOINT/keys/YOUR-KEY-NAME/YOUR-KEY-VERSION" } }
Integrating with App Configuration
The Azure SDK provides a helper method, parseKeyVaultKeyIdentifier, to parse the given Key Vault Key ID. This is necessary if you use App Configuration references to Key Vault. App Config stores the Key Vault Key ID. You need the parseKeyVaultKeyIdentifier method to parse that ID to get the key name. Once you have the key name, you can get the current key value using code from this quickstart.
Next steps
In this quickstart, you created a key vault, stored a key, and retrieved that key. To learn more about Key Vault and how to integrate it with your applications, continue on to these articles.
- Read an Overview of Azure Key Vault
- Read an Overview of Azure Key Vault Keys
- How to Secure access to a key vault
- See the Azure Key Vault developer's guide
- Review the Key Vault security overview