Quickstart: Manage secrets by using the Azure Key Vault Go client library

In this quickstart, you'll learn how to use the Azure SDK for Go to create, retrieve, list, and delete secrets from an Azure key vault.

You can store a variety of object types in an Azure key vault. When you store secrets in a key vault, you avoid having to store them in your code, which helps improve the security of your applications.

Get started with the azsecrets package and learn how to manage your secrets in an Azure key vault by using Go.

Prerequisites

• An Azure subscription. If you don't already have a subscription, you can Create a trial subscription.
• Go version 1.18 or later, installed.
• The Azure CLI, installed.

Setup

For purposes of this quickstart, you use the azidentity package to authenticate to Azure by using the Azure CLI. To learn about the various authentication methods, see Azure authentication with the Azure SDK for Go.

Sign in to the Azure portal

1. In the Azure CLI, run the following command:

   az cloud set -n AzureChinaCloud
   az login
   # az cloud set -n AzureCloud   //means return to Public Azure.
   

   If the Azure CLI can open your default browser, it will do so on the Azure portal sign-in page.

   If the page doesn't open automatically, go to https://aka.ms/deviceloginchina, and then enter the authorization code that's displayed in your terminal.

2. Sign in to the Azure portal with your account credentials.

Create a resource group and key vault instance

Run the following Azure CLI commands:

az group create --name quickstart-rg --location chinaeast
az keyvault create --name quickstart-kv --resource-group quickstart-rg

Key Vault names are globally unique so it is possible that the name is already taken. You may need to choose a unique value for your Key Vault name.

Create a new Go module and install packages

Run the following Go commands:

go mod init kvSecrets
go get -u github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets
go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity

Sample code

Create a file named main.go, and then paste the following code into it:

package main

import (
    "context"
    "fmt"
    "log"

    "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
    "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
)

func main() {
    mySecretName := "secretName01"
    mySecretValue := "secretValue"
    vaultURI := fmt.Sprintf("https://%s.vault.azure.cn/", os.Getenv("KEY_VAULT_NAME"))

    // Create a credential using the NewDefaultAzureCredential type.
    cred, err := azidentity.NewDefaultAzureCredential(nil)
    if err != nil {
        log.Fatalf("failed to obtain a credential: %v", err)
    }

    // Establish a connection to the Key Vault client
    client, err := azsecrets.NewClient(vaultURI, cred, nil)

    // Create a secret
    params := azsecrets.SetSecretParameters{Value: &mySecretValue}
    _, err = client.SetSecret(context.TODO(), mySecretName, params, nil)
    if err != nil {
        log.Fatalf("failed to create a secret: %v", err)
    }

    // Get a secret. An empty string version gets the latest version of the secret.
    version := ""
    resp, err := client.GetSecret(context.TODO(), mySecretName, version, nil)
    if err != nil {
        log.Fatalf("failed to get the secret: %v", err)
    }

    fmt.Printf("secretValue: %s\n", *resp.Value)

    // List secrets
    pager := client.NewListSecretsPager(nil)
    for pager.More() {
        page, err := pager.NextPage(context.TODO())
        if err != nil {
            log.Fatal(err)
        }
        for _, secret := range page.Value {
            fmt.Printf("Secret ID: %s\n", *secret.ID)
        }
    }

    // Delete a secret. DeleteSecret returns when Key Vault has begun deleting the secret.
    // That can take several seconds to complete, so it may be necessary to wait before
    // performing other operations on the deleted secret.
    delResp, err := client.DeleteSecret(context.TODO(), mySecretName, nil)
    if err != nil {
        log.Fatalf("failed to delete secret: %v", err)
    }

    fmt.Println(delResp.ID.Name() + " has been deleted")
}

Run the code

1. Before you run the code, create an environment variable named KEY_VAULT_NAME. Set the environment variable value to the name of the key vault that you created previously.

   export KEY_VAULT_NAME=quickstart-kv
   

2. To start the Go app, run the following command:

   go run main.go
   

   secretValue: createdWithGO
   Secret ID: https://quickstart-kv.vault.azure.cn/secrets/quickstart-secret
   Secret ID: https://quickstart-kv.vault.azure.cn/secrets/secretName
   quickstart-secret has been deleted
   

Code examples

See the module documentation for more examples.

Clean up resources

Delete the resource group and all its remaining resources by running the following command:

az group delete --resource-group quickstart-rg

Next steps

• Overview of Azure Key Vault
• Azure Key Vault developers guide
• Key Vault security overview
• Authenticate with Key Vault