SecretClient Class
- java.
lang. Object - com.
azure. security. keyvault. secrets. SecretClient
- com.
public final class SecretClient
The SecretClient provides synchronous methods to manage KeyVaultSecret in the Azure Key Vault. The client supports creating, retrieving, updating, deleting, purging, backing up, restoring, and listing the KeyVaultSecret. The client also supports listing DeletedSecret for a soft-delete enabled key vault.
Getting Started
In order to interact with the Azure Key Vault service, you will need to create an instance of the SecretClient class, a vault url and a credential object.
The examples shown in this document use a credential object named DefaultAzureCredential for authentication, which is appropriate for most scenarios, including local development and production environments. Additionally, we recommend using a managed identity for authentication in production environments. You can find more information on different ways of authenticating and their corresponding credential types in the Azure Identity documentation".
Sample: Construct Synchronous Secret client
SecretClient secretClient = new SecretClientBuilder()
.credential(new DefaultAzureCredentialBuilder().build())
.vaultUrl("<your-key-vault-url>")
.buildClient();
Create a Secret
The SecretClient can be used to create a secret in the key vault.
Code Sample:
The following code sample demonstrates how to synchronously create and store a secret in the key vault, using the setSecret(String name, String value) API.
KeyVaultSecret secret = secretClient.setSecret("secretName", "secretValue");
System.out.printf("Secret is created with name %s and value %s%n", secret.getName(), secret.getValue());
Note: For the asynchronous sample, refer to SecretAsyncClient.
Get a Secret
The SecretClient can be used to retrieve a secret from the key vault.
Code Sample:
The following code sample demonstrates how to synchronously retrieve a previously stored secret from the Azure KeyVault, using the getSecret(String name) API.
KeyVaultSecret secret = secretClient.getSecret("secretName");
System.out.printf("Secret is returned with name %s and value %s%n",
secret.getName(), secret.getValue());
Note: For the asynchronous sample, refer to SecretAsyncClient.
Delete a Secret
The SecretClient can be used to delete a secret from the key vault.
Code Sample:
The following code sample demonstrates how to delete a secret from the key vault, using the beginDeleteSecret(String name) API.
SyncPoller<DeletedSecret, Void> deleteSecretPoller = secretClient.beginDeleteSecret("secretName");
// Deleted Secret is accessible as soon as polling begins.
PollResponse<DeletedSecret> deleteSecretPollResponse = deleteSecretPoller.poll();
// Deletion date only works for a SoftDelete-enabled Key Vault.
System.out.println("Deleted Date %s" + deleteSecretPollResponse.getValue()
.getDeletedOn().toString());
System.out.printf("Deleted Secret's Recovery Id %s", deleteSecretPollResponse.getValue()
.getRecoveryId());
// Secret is being deleted on server.
deleteSecretPoller.waitForCompletion();
Note: For the asynchronous sample, refer to SecretAsyncClient.
Method Summary
Modifier and Type | Method and Description |
---|---|
byte[] |
backupSecret(String name)
Requests a backup of the secret be downloaded to the client. |
Response<byte[]> |
backupSecretWithResponse(String name, Context context)
Requests a backup of the secret be downloaded to the client. |
Sync |
beginDeleteSecret(String name)
Deletes a secret from the key vault. |
Sync |
beginRecoverDeletedSecret(String name)
Recovers the deleted secret in the key vault to its latest version. |
Deleted |
getDeletedSecret(String name)
Gets a secret that has been deleted for a soft-delete enabled key vault. |
Response<Deleted |
getDeletedSecretWithResponse(String name, Context context)
Gets a secret that has been deleted for a soft-delete enabled key vault. |
Key |
getSecret(String name)
Gets the latest version of the specified secret from the key vault. |
Key |
getSecret(String name, String version)
Gets the specified secret with specified version from the key vault. |
Response<Key |
getSecretWithResponse(String name, String version, Context context)
Gets the specified secret with specified version from the key vault. |
String |
getVaultUrl()
Gets the vault endpoint url to which service requests are sent to. |
Paged |
listDeletedSecrets()
Lists DeletedSecret of the key vault if it has enabled soft-delete. |
Paged |
listDeletedSecrets(Context context)
Lists DeletedSecret of the key vault if it has enabled soft-delete. |
Paged |
listPropertiesOfSecretVersions(String name)
Lists all versions of the specified secret. |
Paged |
listPropertiesOfSecretVersions(String name, Context context)
Lists all versions of the specified secret. |
Paged |
listPropertiesOfSecrets()
Lists secrets in the key vault. |
Paged |
listPropertiesOfSecrets(Context context)
Lists secrets in the key vault. |
void |
purgeDeletedSecret(String name)
Permanently removes a deleted secret, without the possibility of recovery. |
Response<Void> |
purgeDeletedSecretWithResponse(String name, Context context)
Permanently removes a deleted secret, without the possibility of recovery. |
Key |
restoreSecretBackup(byte[] backup)
Restores a backed up secret, and all its versions, to a vault. |
Response<Key |
restoreSecretBackupWithResponse(byte[] backup, Context context)
Restores a backed up secret, and all its versions, to a vault. |
Key |
setSecret(KeyVaultSecret secret)
Adds a secret to the key vault if it does not exist. |
Key |
setSecret(String name, String value)
Adds a secret to the key vault if it does not exist. |
Response<Key |
setSecretWithResponse(KeyVaultSecret secret, Context context)
Adds a secret to the key vault if it does not exist. |
Secret |
updateSecretProperties(SecretProperties secretProperties)
Updates the attributes associated with the secret. |
Response<Secret |
updateSecretPropertiesWithResponse(SecretProperties secretProperties, Context context)
Updates the attributes associated with the secret. |
Methods inherited from java.lang.Object
Method Details
backupSecret
public byte[] backupSecret(String name)
Requests a backup of the secret be downloaded to the client. All versions of the secret will be downloaded. This operation requires the secrets/backup
permission.
Code sample
Backs up the secret from the key vault and prints out the length of the secret's backup byte array returned in the response
byte[] secretBackup = secretClient.backupSecret("secretName");
System.out.printf("Secret's Backup Byte array's length %s", secretBackup.length);
Parameters:
Returns:
backupSecretWithResponse
public Response
Requests a backup of the secret be downloaded to the client. All versions of the secret will be downloaded. This operation requires the secrets/backup
permission.
Code sample
Backs up the secret from the key vault and prints out the length of the secret's backup byte array returned in the response
byte[] secretBackup = secretClient.backupSecretWithResponse("secretName",
new Context(key1, value1)).getValue();
System.out.printf("Secret's Backup Byte array's length %s", secretBackup.length);
Parameters:
Returns:
beginDeleteSecret
public SyncPoller
Deletes a secret from the key vault. If soft-delete is enabled on the key vault then the secret is placed in the deleted state and for permanent deletion, needs to be purged. Otherwise, the secret is permanently deleted. All versions of a secret are deleted. This cannot be applied to individual versions of a secret. This operation requires the secrets/delete
permission.
Code sample
Deletes the secret from a soft-delete enabled key vault. Prints out the recovery id of the deleted secret returned in the response.
SyncPoller<DeletedSecret, Void> deleteSecretPoller = secretClient.beginDeleteSecret("secretName");
// Deleted Secret is accessible as soon as polling begins.
PollResponse<DeletedSecret> deleteSecretPollResponse = deleteSecretPoller.poll();
// Deletion date only works for a SoftDelete-enabled Key Vault.
System.out.println("Deleted Date %s" + deleteSecretPollResponse.getValue()
.getDeletedOn().toString());
System.out.printf("Deleted Secret's Recovery Id %s", deleteSecretPollResponse.getValue()
.getRecoveryId());
// Secret is being deleted on server.
deleteSecretPoller.waitForCompletion();
Parameters:
Returns:
beginRecoverDeletedSecret
public SyncPoller
Recovers the deleted secret in the key vault to its latest version. Can only be performed on a soft-delete enabled vault. This operation requires the secrets/recover
permission.
Code sample
Recovers the deleted secret from the key vault enabled for soft-delete. Prints out the details of the recovered secret returned in the response.
SyncPoller<KeyVaultSecret, Void> recoverSecretPoller =
secretClient.beginRecoverDeletedSecret("deletedSecretName");
// Deleted Secret can be accessed as soon as polling is in progress.
PollResponse<KeyVaultSecret> recoveredSecretPollResponse = recoverSecretPoller.poll();
System.out.println("Recovered Key Name %s" + recoveredSecretPollResponse.getValue().getName());
System.out.printf("Recovered Key's Id %s", recoveredSecretPollResponse.getValue().getId());
// Key is being recovered on server.
recoverSecretPoller.waitForCompletion();
Parameters:
Returns:
getDeletedSecret
public DeletedSecret getDeletedSecret(String name)
Gets a secret that has been deleted for a soft-delete enabled key vault. This operation requires the secrets/list
permission.
Code sample
Gets the deleted secret from the key vault enabled for soft-delete. Prints out the details of the deleted secret returned in the response.
DeletedSecret deletedSecret = secretClient.getDeletedSecret("secretName");
System.out.printf("Deleted Secret's Recovery Id %s", deletedSecret.getRecoveryId());
Parameters:
Returns:
getDeletedSecretWithResponse
public Response
Gets a secret that has been deleted for a soft-delete enabled key vault. This operation requires the secrets/list
permission.
Code sample
Gets the deleted secret from the key vault enabled for soft-delete. Prints out the details of the deleted secret returned in the response.
DeletedSecret deletedSecret = secretClient.getDeletedSecretWithResponse("secretName",
new Context(key2, value2)).getValue();
System.out.printf("Deleted Secret's Recovery Id %s", deletedSecret.getRecoveryId());
Parameters:
Returns:
getSecret
public KeyVaultSecret getSecret(String name)
Gets the latest version of the specified secret from the key vault. This operation requires the secrets/get
permission.
Code sample
Gets the latest version of the secret in the key vault. Prints out the details of the returned secret.
KeyVaultSecret secret = secretClient.getSecret("secretName");
System.out.printf("Secret is returned with name %s and value %s%n",
secret.getName(), secret.getValue());
Parameters:
Returns:
getSecret
public KeyVaultSecret getSecret(String name, String version)
Gets the specified secret with specified version from the key vault. This operation requires the secrets/get
permission.
Code sample
Gets a specific version of the secret in the key vault. Prints out the details of the returned secret.
String secretVersion = "6A385B124DEF4096AF1361A85B16C204";
KeyVaultSecret secretWithVersion = secretClient.getSecret("secretName", secretVersion);
System.out.printf("Secret is returned with name %s and value %s%n",
secretWithVersion.getName(), secretWithVersion.getValue());
Parameters:
Returns:
getSecretWithResponse
public Response
Gets the specified secret with specified version from the key vault. This operation requires the secrets/get
permission.
Code sample
Gets a specific version of the secret in the key vault. Prints out the details of the returned secret.
String secretVersion = "6A385B124DEF4096AF1361A85B16C204";
KeyVaultSecret secretWithVersion = secretClient.getSecretWithResponse("secretName", secretVersion,
new Context(key2, value2)).getValue();
System.out.printf("Secret is returned with name %s and value %s%n",
secretWithVersion.getName(), secretWithVersion.getValue());
Parameters:
Returns:
getVaultUrl
public String getVaultUrl()
Gets the vault endpoint url to which service requests are sent to.
Returns:
listDeletedSecrets
public PagedIterable
Lists DeletedSecret of the key vault if it has enabled soft-delete. This operation requires the secrets/list
permission.
Iterate over secrets
Lists the deleted secrets in the key vault and for each deleted secret prints out its recovery id.
for (DeletedSecret deletedSecret : secretClient.listDeletedSecrets()) {
System.out.printf("Deleted secret's recovery Id %s", deletedSecret.getRecoveryId());
}
Iterate over secrets by page
Iterate over Lists the deleted secrets by page in the key vault and for each deleted secret prints out its recovery id.
secretClient.listDeletedSecrets().iterableByPage().forEach(resp -> {
System.out.printf("Got response headers . Url: %s, Status code: %d %n",
resp.getRequest().getUrl(), resp.getStatusCode());
resp.getItems().forEach(value -> {
System.out.printf("Deleted secret's recovery Id %s", value.getRecoveryId());
});
});
Returns:
listDeletedSecrets
public PagedIterable
Lists DeletedSecret of the key vault if it has enabled soft-delete. This operation requires the secrets/list
permission.
Code sample
Lists the deleted secrets in the key vault and for each deleted secret prints out its recovery id.
for (DeletedSecret deletedSecret : secretClient.listDeletedSecrets(new Context(key1, value2))) {
System.out.printf("Deleted secret's recovery Id %s", deletedSecret.getRecoveryId());
}
Parameters:
Returns:
listPropertiesOfSecretVersions
public PagedIterable
Lists all versions of the specified secret. Each SecretProperties returned only has its identifier and attributes populated. The secret values and secret versions are not listed in the response. This operation requires the secrets/list
permission.
Code sample
The sample below fetches all versions of the given secret. For each secret version retrieved, makes a call to getSecret(String name, String version) to get the version's value, and then prints it out.
for (SecretProperties secret : secretClient.listPropertiesOfSecretVersions("secretName")) {
KeyVaultSecret secretWithValue = secretClient.getSecret(secret.getName(), secret.getVersion());
System.out.printf("Received secret's version with name %s and value %s",
secretWithValue.getName(), secretWithValue.getValue());
}
Parameters:
Returns:
name
does not exist in key vaultlistPropertiesOfSecretVersions
public PagedIterable
Lists all versions of the specified secret. Each SecretProperties returned only has its identifier and attributes populated. The secret values and secret versions are not listed in the response. This operation requires the secrets/list
permission.
Code sample
The sample below fetches all versions of the given secret. For each secret version retrieved, makes a call to getSecret(String name, String version) to get the version's value, and then prints it out.
for (SecretProperties secret : secretClient
.listPropertiesOfSecretVersions("secretName", new Context(key1, value2))) {
KeyVaultSecret secretWithValue = secretClient.getSecret(secret.getName(), secret.getVersion());
System.out.printf("Received secret's version with name %s and value %s",
secretWithValue.getName(), secretWithValue.getValue());
}
Iterate over secret versions by page
The sample below iterates over each SecretProperties by each page and calls getSecret(String name, String version). This will return the KeyVaultSecret with the corresponding version's value.
secretClient.listPropertiesOfSecretVersions("secretName", new Context(key1, value2))
.iterableByPage().forEach(resp -> {
System.out.printf("Got response headers . Url: %s, Status code: %d %n",
resp.getRequest().getUrl(), resp.getStatusCode());
resp.getItems().forEach(value -> {
KeyVaultSecret secretWithValue = secretClient.getSecret(value.getName(), value.getVersion());
System.out.printf("Received secret's version with name %s and value %s",
secretWithValue.getName(), secretWithValue.getValue());
});
});
Parameters:
Returns:
name
does not exist in key vaultlistPropertiesOfSecrets
public PagedIterable
Lists secrets in the key vault. Each SecretProperties returned only has its identifier and attributes populated. The secret values and their versions are not listed in the response. This operation requires the secrets/list
permission.
Iterate through secrets and fetch their latest value
The snippet below loops over each SecretProperties and calls getSecret(String name, String version). This gets the KeyVaultSecret and the value of its latest version.
for (SecretProperties secret : secretClient.listPropertiesOfSecrets()) {
KeyVaultSecret secretWithValue = secretClient.getSecret(secret.getName(), secret.getVersion());
System.out.printf("Received secret with name %s and value %s",
secretWithValue.getName(), secretWithValue.getValue());
}
Iterate over secrets by page
The snippet below loops over each SecretProperties by page and calls getSecret(String name, String version). This gets the KeyVaultSecret and the value of its latest version.
secretClient.listPropertiesOfSecrets().iterableByPage().forEach(resp -> {
System.out.printf("Response headers are %s. Url %s and status code %d %n", resp.getHeaders(),
resp.getRequest().getUrl(), resp.getStatusCode());
resp.getItems().forEach(value -> {
KeyVaultSecret secretWithValue = secretClient.getSecret(value.getName(), value.getVersion());
System.out.printf("Received secret with name %s and value %s",
secretWithValue.getName(), secretWithValue.getValue());
});
});
Returns:
listPropertiesOfSecrets
public PagedIterable
Lists secrets in the key vault. Each SecretProperties returned only has its identifier and attributes populated. The secret values and their versions are not listed in the response. This operation requires the secrets/list
permission.
Iterate over secrets and fetch their latest value
The snippet below loops over each SecretProperties and calls getSecret(String name, String version). This gets the KeyVaultSecret and the value of its latest version.
for (SecretProperties secret : secretClient.listPropertiesOfSecrets(new Context(key1, value2))) {
KeyVaultSecret secretWithValue = secretClient.getSecret(secret.getName(), secret.getVersion());
System.out.printf("Received secret with name %s and value %s",
secretWithValue.getName(), secretWithValue.getValue());
}
Parameters:
Returns:
purgeDeletedSecret
public void purgeDeletedSecret(String name)
Permanently removes a deleted secret, without the possibility of recovery. This operation can only be performed on a soft-delete enabled vault. This operation requires the secrets/purge
permission.
Code sample
Purges the deleted secret from the key vault enabled for soft-delete. Prints out the status code from the server response.
secretClient.purgeDeletedSecret("secretName");
Parameters:
purgeDeletedSecretWithResponse
public Response
Permanently removes a deleted secret, without the possibility of recovery. This operation can only be performed on a soft-delete enabled vault. This operation requires the secrets/purge
permission.
Code sample
Purges the deleted secret from the key vault enabled for soft-delete. Prints out the status code from the server response.
Response<Void> purgeResponse = secretClient.purgeDeletedSecretWithResponse("secretName",
new Context(key1, value1));
System.out.printf("Purge Status Code: %d", purgeResponse.getStatusCode());
Parameters:
Returns:
restoreSecretBackup
public KeyVaultSecret restoreSecretBackup(byte[] backup)
Restores a backed up secret, and all its versions, to a vault. This operation requires the secrets/restore
permission.
Code sample
Restores the secret in the key vault from its backup byte array. Prints out the details of the restored secret returned in the response.
// Pass the secret backup byte array of the secret to be restored.
byte[] secretBackupByteArray = {};
KeyVaultSecret restoredSecret = secretClient.restoreSecretBackup(secretBackupByteArray);
System.out
.printf("Restored Secret with name %s and value %s", restoredSecret.getName(), restoredSecret.getValue());
Parameters:
Returns:
restoreSecretBackupWithResponse
public Response
Restores a backed up secret, and all its versions, to a vault. This operation requires the secrets/restore
permission.
Code sample
Restores the secret in the key vault from its backup byte array. Prints out the details of the restored secret returned in the response.
// Pass the secret backup byte array of the secret to be restored.
byte[] secretBackupByteArray = {};
KeyVaultSecret restoredSecret = secretClient.restoreSecretBackupWithResponse(secretBackupByteArray,
new Context(key2, value2)).getValue();
System.out
.printf("Restored Secret with name %s and value %s", restoredSecret.getName(), restoredSecret.getValue());
Parameters:
Returns:
setSecret
public KeyVaultSecret setSecret(KeyVaultSecret secret)
Adds a secret to the key vault if it does not exist. If the named secret exists, a new version of the secret is created. This operation requires the secrets/set
permission.
The getExpiresOn(), getContentType(), and getNotBefore() values in secret
are optional. If not specified, isEnabled() is set to true by key vault.
Code sample
Creates a new secret in the key vault. Prints out the details of the newly created secret returned in the response.
KeyVaultSecret newSecret = new KeyVaultSecret("secretName", "secretValue")
.setProperties(new SecretProperties().setExpiresOn(OffsetDateTime.now().plusDays(60)));
KeyVaultSecret returnedSecret = secretClient.setSecret(newSecret);
System.out.printf("Secret is created with name %s and value %s%n", returnedSecret.getName(),
returnedSecret.getValue());
Parameters:
Returns:
setSecret
public KeyVaultSecret setSecret(String name, String value)
Adds a secret to the key vault if it does not exist. If the named secret exists, a new version of the secret is created. This operation requires the secrets/set
permission.
Code sample
Creates a new secret in the key vault. Prints out the details of the newly created secret returned in the response.
KeyVaultSecret secret = secretClient.setSecret("secretName", "secretValue");
System.out.printf("Secret is created with name %s and value %s%n", secret.getName(), secret.getValue());
Parameters:
Returns:
setSecretWithResponse
public Response
Adds a secret to the key vault if it does not exist. If the named secret exists, a new version of the secret is created. This operation requires the secrets/set
permission.
Code sample
Creates a new secret in the key vault. Prints out the details of the newly created secret returned in the response.
KeyVaultSecret newSecret = new KeyVaultSecret("secretName", "secretValue")
.setProperties(new SecretProperties().setExpiresOn(OffsetDateTime.now().plusDays(60)));
KeyVaultSecret secret = secretClient.setSecretWithResponse(newSecret, new Context(key1, value1)).getValue();
System.out.printf("Secret is created with name %s and value %s%n", secret.getName(), secret.getValue());
Parameters:
Returns:
updateSecretProperties
public SecretProperties updateSecretProperties(SecretProperties secretProperties)
Updates the attributes associated with the secret. The value of the secret in the key vault cannot be changed. Only attributes populated in secretProperties
are changed. Attributes not specified in the request are not changed. This operation requires the secrets/set
permission.
The secret
is required and its fields getName() and getVersion() cannot be null.
Code sample
Gets the latest version of the secret, changes its expiry time, and the updates the secret in the key vault.
SecretProperties secretProperties = secretClient.getSecret("secretName").getProperties();
secretProperties.setExpiresOn(OffsetDateTime.now().plusDays(60));
SecretProperties updatedSecretProperties = secretClient.updateSecretProperties(secretProperties);
KeyVaultSecret updatedSecret = secretClient.getSecret(updatedSecretProperties.getName());
System.out.printf("Updated Secret is returned with name %s, value %s and expires %s%n",
updatedSecret.getName(), updatedSecret.getValue(), updatedSecret.getProperties().getExpiresOn());
Parameters:
Returns:
updateSecretPropertiesWithResponse
public Response
Updates the attributes associated with the secret. The value of the secret in the key vault cannot be changed. Only attributes populated in secretProperties
are changed. Attributes not specified in the request are not changed. This operation requires the secrets/set
permission.
The secret
is required and its fields getName() and getVersion() cannot be null.
Code sample
Gets the latest version of the secret, changes its expiry time, and the updates the secret in the key vault.
SecretProperties secretProperties = secretClient.getSecret("secretName").getProperties();
secretProperties.setExpiresOn(OffsetDateTime.now().plusDays(60));
SecretProperties updatedSecretBase = secretClient.updateSecretPropertiesWithResponse(secretProperties,
new Context(key2, value2)).getValue();
KeyVaultSecret updatedSecret = secretClient.getSecret(updatedSecretBase.getName());
System.out.printf("Updated Secret is returned with name %s, value %s and expires %s%n",
updatedSecret.getName(), updatedSecret.getValue(), updatedSecret.getProperties().getExpiresOn());
Parameters:
Returns:
Applies to
Azure SDK for Java