Quickstart: Manage secrets by using the Azure Key Vault Go client library
In this quickstart, you'll learn how to use the Azure SDK for Go to create, retrieve, list, and delete secrets from an Azure key vault.
You can store a variety of object types in an Azure key vault. When you store secrets in a key vault, you avoid having to store them in your code, which helps improve the security of your applications.
Get started with the azsecrets package and learn how to manage your secrets in an Azure key vault by using Go.
Prerequisites
- An Azure subscription. If you don't already have a subscription, you can Create a trial subscription.
- Go version 1.18 or later, installed.
- The Azure CLI, installed.
Setup
For purposes of this quickstart, you use the azidentity package to authenticate to Azure by using the Azure CLI. To learn about the various authentication methods, see Azure authentication with the Azure SDK for Go.
Sign in to the Azure portal
In the Azure CLI, run the following command:
az cloud set -n AzureChinaCloud az login # az cloud set -n AzureCloud //means return to Public Azure.
If the Azure CLI can open your default browser, it will do so on the Azure portal sign-in page.
If the page doesn't open automatically, go to https://aka.ms/deviceloginchina, and then enter the authorization code that's displayed in your terminal.
Sign in to the Azure portal with your account credentials.
Create a resource group and key vault instance
Run the following Azure CLI commands:
az group create --name quickstart-rg --location chinaeast
az keyvault create --name quickstart-kv --resource-group quickstart-rg
Key Vault names are globally unique so it is possible that the name is already taken. You may need to choose a unique value for your Key Vault name.
Create a new Go module and install packages
Run the following Go commands:
go mod init kvSecrets
go get -u github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets
go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity
Sample code
Create a file named main.go, and then paste the following code into it:
package main
import (
"context"
"fmt"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
)
func main() {
mySecretName := "secretName01"
mySecretValue := "secretValue"
vaultURI := fmt.Sprintf("https://%s.vault.azure.cn/", os.Getenv("KEY_VAULT_NAME"))
// Create a credential using the NewDefaultAzureCredential type.
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
// Establish a connection to the Key Vault client
client, err := azsecrets.NewClient(vaultURI, cred, nil)
// Create a secret
params := azsecrets.SetSecretParameters{Value: &mySecretValue}
_, err = client.SetSecret(context.TODO(), mySecretName, params, nil)
if err != nil {
log.Fatalf("failed to create a secret: %v", err)
}
// Get a secret. An empty string version gets the latest version of the secret.
version := ""
resp, err := client.GetSecret(context.TODO(), mySecretName, version, nil)
if err != nil {
log.Fatalf("failed to get the secret: %v", err)
}
fmt.Printf("secretValue: %s\n", *resp.Value)
// List secrets
pager := client.NewListSecretsPager(nil)
for pager.More() {
page, err := pager.NextPage(context.TODO())
if err != nil {
log.Fatal(err)
}
for _, secret := range page.Value {
fmt.Printf("Secret ID: %s\n", *secret.ID)
}
}
// Delete a secret. DeleteSecret returns when Key Vault has begun deleting the secret.
// That can take several seconds to complete, so it may be necessary to wait before
// performing other operations on the deleted secret.
delResp, err := client.DeleteSecret(context.TODO(), mySecretName, nil)
if err != nil {
log.Fatalf("failed to delete secret: %v", err)
}
fmt.Println(delResp.ID.Name() + " has been deleted")
}
Run the code
Before you run the code, create an environment variable named
KEY_VAULT_NAME
. Set the environment variable value to the name of the key vault that you created previously.export KEY_VAULT_NAME=quickstart-kv
To start the Go app, run the following command:
go run main.go
secretValue: createdWithGO Secret ID: https://quickstart-kv.vault.azure.cn/secrets/quickstart-secret Secret ID: https://quickstart-kv.vault.azure.cn/secrets/secretName quickstart-secret has been deleted
Code examples
See the module documentation for more examples.
Clean up resources
Delete the resource group and all its remaining resources by running the following command:
az group delete --resource-group quickstart-rg