This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the DefaultAzureCredential
. There's also a compilable sample to create a Key Vault secret client you can copy-paste.
/**
* The default credential first checks environment variables for configuration.
* If environment configuration is incomplete, it will try managed identity.
*/
public void createDefaultAzureCredential() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
}
See more how to configure the DefaultAzureCredential
on your workstation or Azure in Configure DefaultAzureCredential.
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the DefaultAzureCredential
, deployed to an Azure resource with a user assigned managed identity configured.
See more about how to configure a user assigned managed identity for an Azure resource in Enable managed identity for Azure resources.
/**
* The default credential will use the user assigned managed identity with the specified client ID.
*/
public void createDefaultAzureCredentialForUserAssignedManagedIdentity() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
.managedIdentityClientId("<MANAGED_IDENTITY_CLIENT_ID>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
}
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the DefaultAzureCredential
, on a workstation with IntelliJ IDEA installed, and the user has signed in with an Azure account to the Azure Toolkit for IntelliJ.
See more about how to configure your IntelliJ IDEA in Sign in Azure Toolkit for IntelliJ for IntelliJCredential.
/**
* The default credential will use the KeePass database path to find the user account in IntelliJ on Windows.
*/
public void createDefaultAzureCredentialForIntelliJ() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder()
// KeePass configuration required only for Windows. No configuration needed for Linux / Mac
.intelliJKeePassDatabasePath("C:\\Users\\user\\AppData\\Roaming\\JetBrains\\IdeaIC2020.1\\c.kdbx")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(defaultCredential)
.buildClient();
}
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the ClientSecretCredential
. There's also a compilable sample to create a Key Vault secret client you can copy-paste.
See more about how to create a service principal and get these values in Creating a Service Principal with the Azure CL.
/**
* Authenticate with client secret.
*/
public void createClientSecretCredential() {
ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
.clientId("<YOUR_CLIENT_ID>")
.clientSecret("<YOUR_CLIENT_SECRET>")
.tenantId("<YOUR_TENANT_ID>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(clientSecretCredential)
.buildClient();
}
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the ClientCertificateCredential
. There's also a compilable sample to create a Key Vault secret client you can copy-paste.
See more about how to create a service principal and get these values in Creating a Service Principal with the Azure CL.
/**
* Authenticate with a client certificate.
*/
public void createClientCertificateCredential() {
ClientCertificateCredential clientCertificateCredential = new ClientCertificateCredentialBuilder()
.clientId("<YOUR_CLIENT_ID>")
.pemCertificate("<PATH TO PEM CERTIFICATE>")
// choose between either a PEM certificate or a PFX certificate
//.pfxCertificate("<PATH TO PFX CERTIFICATE>", "PFX CERTIFICATE PASSWORD")
.tenantId("<YOUR_TENANT_ID>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(clientCertificateCredential)
.buildClient();
}
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the DeviceCodeCredential
on an IoT device. There's also a compilable sample to create a Key Vault secret client you can copy-paste.
See more about how to configure an AAD application for device code flow in Enable applications for device code flow
/**
* Authenticate with device code credential.
*/
public void createDeviceCodeCredential() {
DeviceCodeCredential deviceCodeCredential = new DeviceCodeCredentialBuilder()
.challengeConsumer(challenge -> {
// lets user know of the challenge
System.out.println(challenge.getMessage());
})
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(deviceCodeCredential)
.buildClient();
}
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the UsernamePasswordCredential
. The user must not have Multi-factor auth turned on. There's also a compilable sample to create a Key Vault secret client you can copy-paste.
/**
* Authenticate with username, password.
*/
public void createUserNamePasswordCredential() {
UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredentialBuilder()
.clientId("<YOUR_CLIENT_ID>")
.username("<YOUR_USERNAME>")
.password("<YOUR_PASSWORD>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(usernamePasswordCredential)
.buildClient();
}
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the InteractiveBrowserCredential
. There's also a compilable sample to create a Key Vault secret client you can copy-paste.
See more about how to configure an AAD application for interactive browser authentication and listen on a port locally in Enable applications for interactive browser oauth 2 flow
/**
* Authenticate interactively in the browser.
*/
public void createInteractiveBrowserCredential() {
InteractiveBrowserCredential interactiveBrowserCredential = new InteractiveBrowserCredentialBuilder()
.clientId("<YOUR CLIENT ID>")
.port(8765)
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(interactiveBrowserCredential)
.buildClient();
}
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the AuthorizationCodeCredential
on a web application.
First, prompt the user to login at the URL documented at Microsoft identity platform and OAuth 2.0 authorization code flow. You will need the client id, tenant id, redirect URL, and the scopes your application plans to access.
Then create an API at the redirect URL with the following code to access the Key Vault service.
See more about how to configure an AAD application for oauth 2 auth code flow in Enable applications for oauth 2 auth code flow.
/**
* Authenticate with authorization code.
*/
public void createAuthCodeCredential() {
AuthorizationCodeCredential authCodeCredential = new AuthorizationCodeCredentialBuilder()
.clientId("<YOUR CLIENT ID>")
.authorizationCode("<AUTH CODE FROM QUERY PARAMETERS")
.redirectUrl("<THE REDIRECT URL>")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(authCodeCredential)
.buildClient();
}
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the AzureCliCredential
on a workstation with Azure CLI installed and signed in.
See more about how to configure Azure CLI in Sign in Azure CLI for AzureCliCredential.
/**
* Authenticate with Azure CLI.
*/
public void createAzureCliCredential() {
AzureCliCredential cliCredential = new AzureCliCredentialBuilder().build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(cliCredential)
.buildClient();
}
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the IntelliJCredential
on a workstation with IntelliJ IDEA installed, and the user has signed in with an Azure account.
See more about how to configure your IntelliJ IDEA in Sign in Azure Toolkit for IntelliJ for IntelliJCredential.
/**
* Authenticate with IntelliJ IDEA.
*/
public void createIntelliJCredential() {
IntelliJCredential intelliJCredential = new IntelliJCredentialBuilder()
// KeePass configuration required only for Windows. No configuration needed for Linux / Mac
.keePassDatabasePath("C:\\Users\\user\\AppData\\Roaming\\JetBrains\\IdeaIC2020.1\\c.kdbx")
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(intelliJCredential)
.buildClient();
}
This example demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the VisualStudioCodeCredential
on a workstation with Visual Studio Code installed, and the user has signed in with an Azure account.
See more about how to configure your Visual Studio Code in Sign in Visual Studio Code Azure Account Extension for VisualStudioCodeCredential
/**
* Authenticate with Visual Studio Code.
*/
public void createVisualStudioCodeCredential() {
VisualStudioCodeCredential visualStudioCodeCredential = new VisualStudioCodeCredentialBuilder().build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(visualStudioCodeCredential)
.buildClient();
}
This examples demonstrates authenticating the SecretClient
from the azure-security-keyvault-secrets client library using the ManagedIdentityCredential
in a virtual machine, app service, function app, cloud shell, or AKS environment on Azure, with system assigned, or user assigned managed identity enabled.
see more about how to configure your Azure resource for managed identity in Enable managed identity for Azure resources
/**
* Authenticate with a managed identity.
*/
public void createManagedIdentityCredential() {
ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder()
.clientId("<USER ASSIGNED MANAGED IDENTITY CLIENT ID>") // only required for user assigned
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(managedIdentityCredential)
.buildClient();
}
The ChainedTokenCredential
class provides the ability to link together multiple credential instances to be tried sequentially when authenticating. The following example demonstrates creating a credential which will attempt to authenticate using managed identity, and fall back to certificate authentication if a managed identity is unavailable in the current environment. This example authenticates an EventHubClient
from the azure-eventhubs client library using the ChainedTokenCredential
. There's also a compilable sample to create a Key Vault secret client you can copy-paste.
/**
* Authenticate with chained credentials.
*/
public void createChainedCredential() {
ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder()
.clientId("<YOUR_CLIENT_ID>")
.build();
ClientSecretCredential secondServicePrincipal = new ClientSecretCredentialBuilder()
.clientId("<YOUR_CLIENT_ID>")
.clientSecret("<YOUR_CLIENT_SECRET>")
.tenantId("<YOUR_TENANT_ID>")
.build();
// when an access token is requested, the chain will try each
// credential in order, stopping when one provides a token
ChainedTokenCredential credentialChain = new ChainedTokenCredentialBuilder()
.addLast(managedIdentityCredential)
.addLast(secondServicePrincipal)
.build();
// Azure SDK client builders accept the credential as a parameter
SecretClient client = new SecretClientBuilder()
.vaultUrl("https://{YOUR_VAULT_NAME}.vault.azure.net")
.credential(credentialChain)
.buildClient();
}