This sample demonstrates how to create, get, update, and delete a secret in Azure Key Vault. To get started, you'll need a URI to an Azure Key Vault. See the README for links and instructions.
To create a new SecretClient to create, get, update, or delete secrets, you need the endpoint to a Key Vault and credentials.
You can use the DefaultAzureCredential to try a number of common authentication methods optimized for both running as a service and development.
In the sample below, you can set keyVaultUrl based on an environment variable, configuration setting, or any way that works for your application.
var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential());Let's next create a secret holding a bank account credential valid for 1 year. If the secret already exists in the Key Vault, a new version of the secret is created.
string secretName = $"BankAccountPassword-{Guid.NewGuid()}";
var secret = new KeyVaultSecret(secretName, "f4G34fMh8v");
secret.Properties.ExpiresOn = DateTimeOffset.Now.AddYears(1);
client.SetSecret(secret);Now let's get the bank secret from the Key Vault.
KeyVaultSecret bankSecret = client.GetSecret(secretName);
Debug.WriteLine($"Secret is returned with name {bankSecret.Name} and value {bankSecret.Value}");After one year if the bank account is still active, we need to update the expiration time of the secret. The update method can be used to update the expiration attribute of the secret. It cannot be used to update the value of the secret.
bankSecret.Properties.ExpiresOn = bankSecret.Properties.ExpiresOn.Value.AddYears(1);
SecretProperties updatedSecret = client.UpdateSecretProperties(bankSecret.Properties);
Debug.WriteLine($"Secret's updated expiry time is {updatedSecret.ExpiresOn}");Assume the bank forced a password update for security purposes. Let's change the value of the secret in the Key Vault. To achieve this, we need to create a new version of the secret in the Key Vault. The update operation cannot change the value of the secret.
var secretNewValue = new KeyVaultSecret(secretName, "bhjd4DDgsa");
secretNewValue.Properties.ExpiresOn = DateTimeOffset.Now.AddYears(1);
client.SetSecret(secretNewValue);The bank account was closed. You need to delete its credentials from the Key Vault.
DeleteSecretOperation operation = client.StartDeleteSecret(secretName);If the Key Vault is soft delete-enabled and you want to permanently delete the secret before its ScheduledPurgeDate,
the deleted secret needs to be purged. Before it can be purged, you need to wait until the secret is fully deleted.
// You only need to wait for completion if you want to purge or recover the secret.
while (!operation.HasCompleted)
{
Thread.Sleep(2000);
operation.UpdateStatus();
}
client.PurgeDeletedSecret(secretName);When writing asynchronous code, you can instead await WaitForCompletionAsync to wait indefinitely.
You can optionally pass in a CancellationToken to cancel waiting after a certain period or time or any other trigger you require.
// You only need to wait for completion if you want to purge or recover the secret.
await operation.WaitForCompletionAsync();
await client.PurgeDeletedSecretAsync(secretName);To see the full example source, see: