Create and Retrieve Secrets with Azure Key Vault

In this article, we will create an Azure Key Vault, store secrets using the Azure CLI, and build a .NET console application that can create and retrieve secrets from the key vault. We will also learn how to configure authentication, manage secrets programmatically, and clean up resources when finished.

Create Azure Key Vault resources and add a secret

Navigate to https://portal.azure.com and sign in using your Azure credentials.

Navigate to web shell at [>_] button and choose Bash.

In the cloud shell toolbar, in the Settings menu, select Go to Classic version (this is required to use the code editor).

Confirm

Click this open editor then you will see vscode like environment.

Give your desired name for resourceGroup and location.

az group create --name vkRG --location eastus

Many of the commands require unique names and use the same parameters. Creating some variables will reduce the changes needed to the commands that create resources. Use your resource group name and location you have chosen in earlier step.

resourceGroup=vkRG
location=eastus
keyVaultName=mykeyvaultname$RANDOM

Run the following command to get the name of the key vault and record the name. You need it later in the Lab.

echo $keyVaultName

Run the following command to create an Azure Key Vault resource. This can take a few minutes to run.

az keyvault create --name $keyVaultName \
    --resource-group $resourceGroup --location $location

Got this error

nicolas [ ~ ]$ az keyvault create --name $keyVaultName \
    --resource-group $resourceGroup --location $location
(MissingSubscriptionRegistration) The subscription is not registered to use namespace 'Microsoft.KeyVault'. See https://aka.ms/rps-not-found for how to register subscriptions.
Code: MissingSubscriptionRegistration
Message: The subscription is not registered to use namespace 'Microsoft.KeyVault'. See https://aka.ms/rps-not-found for how to register subscriptions.
Exception Details:      (MissingSubscriptionRegistration) The subscription is not registered to use namespace 'Microsoft.KeyVault'. See https://aka.ms/rps-not-found for how to register subscriptions.
        Code: MissingSubscriptionRegistration
        Message: The subscription is not registered to use namespace 'Microsoft.KeyVault'. See https://aka.ms/rps-not-found for how to register subscriptions.
        Target: Microsoft.KeyVault

Fix: Go to Resource providers in my subscription and search for Microsoft.KeyVault and then Register it.

It will show you in green and after a few minutes later go back to cloudshell and rerun the command.

Assign a role to your Microsoft Entra user name

To create and retrieve a secret, assign your Microsoft Entra user to the Key Vault Secrets Officer role. This gives your user account permission to set, delete, and list secrets. In a typical scenario you may want to separate the create/read actions by assigning the Key Vault Secrets Officer to one group, and Key Vault Secrets User (can get and list secrets) to another.

Run the following command to retrieve the userPrincipalName from your account. This represents who the role will be assigned to.

userPrincipal=$(az rest --method GET --url https://graph.microsoft.com/v1.0/me \
    --headers 'Content-Type=application/json' \
    --query userPrincipalName --output tsv)

Run the following command to retrieve the resource ID of the key vault. The resource ID sets the scope for the role assignment to a specific key vault.

resourceID=$(az keyvault show --resource-group $resourceGroup \
    --name $keyVaultName --query id --output tsv)

Run the following command to create and assign the Key Vault Secrets Officer role.

az role assignment create --assignee $userPrincipal \
    --role "Key Vault Secrets Officer" \
    --scope $resourceID

Next, add a secret to the key vault you created.

Add and retrieve a secret with Azure CLI

Run the following command to create a secret.

az keyvault secret set --vault-name $keyVaultName \
    --name "MySecret" --value "My secret value"

Run the following command to retrieve the secret to verify it was set.

az keyvault secret show --name "MySecret" --vault-name $keyVaultName

This command returns some JSON. The last line contains the password in plain text.

"value": "My secret value"

Create a .NET console app to store and retrieve secrets

Now that the needed resources are deployed to Azure the next step is to set up the console application. The following steps are performed in the cloud shell.

Run the following commands to create a directory to contain the project and change into the project directory.

mkdir keyvault
cd keyvault

Create the .NET console application

dotnet new console

Run the following commands to add the Azure.Identity and Azure.Security.KeyVault.Secrets packages to the project.

dotnet add package Azure.Identity
dotnet add package Azure.Security.KeyVault.Secrets

Add the starter code for the project

Run the following command in the cloud shell to begin editing the application.

code Program.cs

Replace any existing contents with the following code. Be sure to replace YOUR-KEYVAULT-NAME with your actual key vault name.

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

// Replace YOUR-KEYVAULT-NAME with your actual Key Vault name
string KeyVaultUrl = "https://mykeyvaultname18121.vault.azure.net/";


// ADD CODE TO CREATE A CLIENT



// ADD CODE TO CREATE A MENU SYSTEM



// ADD CODE TO CREATE A SECRET



// ADD CODE TO LIST SECRETS

Press ctrl+s to save your changes.

Add code to complete the application

Now it's time to add code to complete the application.

Locate the // ADD CODE TO CREATE A CLIENT comment and add the following code directly after the comment. Be sure to review the code and comments.

 // Configure authentication options for connecting to Azure Key Vault
 DefaultAzureCredentialOptions options = new()
 {
     ExcludeEnvironmentCredential = true,
     ExcludeManagedIdentityCredential = true
 };

 // Create the Key Vault client using the URL and authentication credentials
 var client = new SecretClient(new Uri(KeyVaultUrl), new DefaultAzureCredential(options));

Locate the // ADD CODE TO CREATE A MENU SYSTEM comment and add the following code directly after the comment. Be sure to review the code and comments.

// Main application loop - continues until user types 'quit'
while (true)
{
    // Display menu options to the user
    Console.Clear();
    Console.WriteLine("\nPlease select an option:");
    Console.WriteLine("1. Create a new secret");
    Console.WriteLine("2. List all secrets");
    Console.WriteLine("Type 'quit' to exit");
    Console.Write("Enter your choice: ");

    // Read user input and convert to lowercase for easier comparison
    string? input = Console.ReadLine()?.Trim().ToLower();

    // Check if user wants to exit the application
    if (input == "quit")
    {
        Console.WriteLine("Goodbye!");
        break;
    }

    // Process the user's menu selection
    switch (input)
    {
        case "1":
            // Call the method to create a new secret
            await CreateSecretAsync(client);
            break;
        case "2":
            // Call the method to list all existing secrets
            await ListSecretsAsync(client);
            break;
        default:
            // Handle invalid input
            Console.WriteLine("Invalid option. Please enter 1, 2, or 'quit'.");
            break;
    }
}

Locate the // ADD CODE TO CREATE A SECRET comment and add the following code directly after the comment. Be sure to review the code and comments.

async Task CreateSecretAsync(SecretClient client)
{
    try
    {
        Console.Clear();
        Console.WriteLine("\nCreating a new secret...");

        // Get the secret name from user input
        Console.Write("Enter secret name: ");
        string? secretName = Console.ReadLine()?.Trim();

        // Validate that the secret name is not empty
        if (string.IsNullOrEmpty(secretName))
        {
            Console.WriteLine("Secret name cannot be empty.");
            return;
        }

        // Get the secret value from user input
        Console.Write("Enter secret value: ");
        string? secretValue = Console.ReadLine()?.Trim();

        // Validate that the secret value is not empty
        if (string.IsNullOrEmpty(secretValue))
        {
            Console.WriteLine("Secret value cannot be empty.");
            return;
        }

        // Create a new KeyVaultSecret object with the provided name and value
        var secret = new KeyVaultSecret(secretName, secretValue);

        // Store the secret in Azure Key Vault
        await client.SetSecretAsync(secret);

        Console.WriteLine($"Secret '{secretName}' created successfully!");
        Console.WriteLine("Press Enter to continue...");
        Console.ReadLine();
    }
    catch (Exception ex)
    {
        // Handle any errors that occur during secret creation
        Console.WriteLine($"Error creating secret: {ex.Message}");
    }
}

Locate the // ADD CODE TO LIST SECRETS comment and add the following code directly after the comment. Be sure to review the code and comments.

async Task ListSecretsAsync(SecretClient client)
{
    try
    {
        Console.Clear();
        Console.WriteLine("Listing all secrets in the Key Vault...");
        Console.WriteLine("----------------------------------------");

        // Get an async enumerable of all secret properties in the Key Vault
        var secretProperties = client.GetPropertiesOfSecretsAsync();
        bool hasSecrets = false;

        // Iterate through each secret property to retrieve full secret details
        await foreach (var secretProperty in secretProperties)
        {
            hasSecrets = true;
            try
            {
                // Retrieve the actual secret value and metadata using the secret name
                var secret = await client.GetSecretAsync(secretProperty.Name);

                // Display the secret information to the console
                Console.WriteLine($"Name: {secret.Value.Name}");
                Console.WriteLine($"Value: {secret.Value.Value}");
                Console.WriteLine($"Created: {secret.Value.Properties.CreatedOn}");
                Console.WriteLine("----------------------------------------");
            }
            catch (Exception ex)
            {
                // Handle errors for individual secrets (e.g., access denied, secret not found)
                Console.WriteLine($"Error retrieving secret '{secretProperty.Name}': {ex.Message}");
                Console.WriteLine("----------------------------------------");
            }
        }

        // Inform user if no secrets were found in the Key Vault
        if (!hasSecrets)
        {
            Console.WriteLine("No secrets found in the Key Vault.");
        }
    }
    catch (Exception ex)
    {
        // Handle general errors that occur during the listing operation
        Console.WriteLine($"Error listing secrets: {ex.Message}");

    }
    Console.WriteLine("Press Enter to continue...");
    Console.ReadLine();
}

Press ctrl+s to save the file, then ctrl+q to exit the editor.

Sign into Azure and run the app

In the cloud shell, enter the following command to sign into Azure.

az login

You must sign into Azure - even though the cloud shell session is already authenticated.

Run the following command to start the console app. The app will display the menu system for the application.

cd keyvault
dotnet run

You created a secret at the beginning of this exercise, enter 2 to retrieve and display it.
Enter 1 and enter a secret name and value to create a new secret.
List the secrets again to view your new addition.