# Azure Key Vault Secrets client module for Go Azure Key Vault helps solve the following problems: * Secrets management (this module) - securely store and control access to tokens, passwords, certificates, API keys, and other secrets * Managed HSM administration ([azadmin](https://aka.ms/azsdk/go/keyvault-admin/docs)) - role-based access control (RBAC), settings, and vault-level backup and restore options * Certificate management ([azcertificates](https://aka.ms/azsdk/go/keyvault-certificates/docs)) - create, manage, and deploy public and private SSL/TLS certificates * Cryptographic key management ([azkeys](https://azsdk/go/keyvault-keys/docs)) - create, store, and control access to the keys used to encrypt your data [Source code][module_source] | [Package (pkg.go.dev)][reference_docs] | [Product documentation][keyvault_docs] | [Samples][secrets_samples] ## Getting started ### Install packages Install `azsecrets` and `azidentity` with `go get`: ``` go get github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets go get github.com/Azure/azure-sdk-for-go/sdk/azidentity ``` [azidentity][azure_identity] is used for Azure Active Directory authentication as demonstrated below. ### Prerequisites * An [Azure subscription][azure_sub] * A supported Go version (the Azure SDK supports the two most recent Go releases) * A key vault. If you need to create one, see the Key Vault documentation for instructions on doing so in the [Azure Portal][azure_keyvault_portal] or with the [Azure CLI][azure_keyvault_cli]. ### Authentication This document demonstrates using [azidentity.NewDefaultAzureCredential][default_cred_ref] to authenticate. This credential type works in both local development and production environments. We recommend using a [managed identity][managed_identity] in production. [Client][client_docs] accepts any [azidentity][azure_identity] credential. See the [azidentity][azure_identity] documentation for more information about other credential types. #### Create a client Constructing the client also requires your vault's URL, which you can get from the Azure CLI or the Azure Portal. ```golang import ( "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets" ) func main() { cred, err := azidentity.NewDefaultAzureCredential(nil) if err != nil { // TODO: handle error } client := azsecrets.NewClient("https://.vault.azure.net", cred, nil) } ``` ## Key concepts ### Secret A secret consists of a secret value and its associated metadata and management information. This library handles secret values as strings, but Azure Key Vault doesn't store them as such. For more information about secrets and how Key Vault stores and manages them, see the [Key Vault documentation](https://docs.microsoft.com/azure/key-vault/general/about-keys-secrets-certificates). `azseecrets.Client` can set secret values in the vault, update secret metadata, and delete secrets, as shown in the examples below. ## Examples Get started with our [examples][secrets_samples]. ## Troubleshooting ### Error Handling All methods which send HTTP requests return `*azcore.ResponseError` when these requests fail. `ResponseError` has error details and the raw response from Key Vault. ```go import "github.com/Azure/azure-sdk-for-go/sdk/azcore" resp, err := client.GetSecret(context.Background(), "secretName", nil) if err != nil { var httpErr *azcore.ResponseError if errors.As(err, &httpErr) { // TODO: investigate httpErr } else { // TODO: not an HTTP error } } ``` ### Logging This module uses the logging implementation in `azcore`. To turn on logging for all Azure SDK modules, set `AZURE_SDK_GO_LOGGING` to `all`. By default the logger writes to stderr. Use the `azcore/log` package to control log output. For example, logging only HTTP request and response events, and printing them to stdout: ```go import azlog "github.com/Azure/azure-sdk-for-go/sdk/azcore/log" // Print log events to stdout azlog.SetListener(func(cls azlog.Event, msg string) { fmt.Println(msg) }) // Includes only requests and responses in logs azlog.SetEvents(azlog.EventRequest, azlog.EventResponse) ``` ### Accessing `http.Response` You can access the raw `*http.Response` returned by Key Vault using the `runtime.WithCaptureResponse` method and a context passed to any client method. ```go import "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime" var response *http.Response ctx := runtime.WithCaptureResponse(context.TODO(), &response) _, err = client.GetSecret(ctx, "secretName", nil) if err != nil { // TODO: handle error } // TODO: do something with response ``` ### Additional Documentation See the [API reference documentation][reference_docs] for complete documentation of this module. ## Contributing This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com. When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. This project has adopted the [Microsoft Open Source Code of Conduct][code_of_conduct]. For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact opencode@microsoft.com with any additional questions or comments. [azure_identity]: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity [azure_keyvault_cli]: https://docs.microsoft.com/azure/key-vault/general/quick-create-cli [azure_keyvault_portal]: https://docs.microsoft.com/azure/key-vault/general/quick-create-portal [azure_sub]: https://azure.microsoft.com/free/ [code_of_conduct]: https://opensource.microsoft.com/codeofconduct/ [default_cred_ref]: https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/azidentity#defaultazurecredential [keyvault_docs]: https://docs.microsoft.com/azure/key-vault/ [managed_identity]: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview [reference_docs]: https://aka.ms/azsdk/go/keyvault-secrets/docs [client_docs]: https://aka.ms/azsdk/go/keyvault-secrets/docs#Client [module_source]: https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/security/keyvault/azsecrets [secrets_samples]: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets#pkg-examples ![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-go%2Fsdk%2Fsecurity%2Fkeyvault%2Fazsecrets%2FREADME.png)