azure-keyvault-secrets-ts
Manage secrets using Azure Key Vault Secrets SDK for JavaScript (@azure/keyvault-secrets). Use when storing and retrieving application secrets or configuration values.
Best use case
azure-keyvault-secrets-ts is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Manage secrets using Azure Key Vault Secrets SDK for JavaScript (@azure/keyvault-secrets). Use when storing and retrieving application secrets or configuration values.
Teams using azure-keyvault-secrets-ts should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/azure-keyvault-secrets-ts/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How azure-keyvault-secrets-ts Compares
| Feature / Agent | azure-keyvault-secrets-ts | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Manage secrets using Azure Key Vault Secrets SDK for JavaScript (@azure/keyvault-secrets). Use when storing and retrieving application secrets or configuration values.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Azure Key Vault Secrets SDK for TypeScript
Manage secrets with Azure Key Vault.
## Installation
```bash
# Secrets SDK
npm install @azure/keyvault-secrets @azure/identity
```
## Environment Variables
```bash
KEY_VAULT_URL=https://<vault-name>.vault.azure.net
# Or
AZURE_KEYVAULT_NAME=<vault-name>
```
## Authentication
```typescript
import { DefaultAzureCredential } from "@azure/identity";
import { SecretClient } from "@azure/keyvault-secrets";
const credential = new DefaultAzureCredential();
const vaultUrl = `https://${process.env.AZURE_KEYVAULT_NAME}.vault.azure.net`;
const keyClient = new KeyClient(vaultUrl, credential);
const secretClient = new SecretClient(vaultUrl, credential);
```
## Secrets Operations
### Create/Set Secret
```typescript
const secret = await secretClient.setSecret("MySecret", "secret-value");
// With attributes
const secretWithAttrs = await secretClient.setSecret("MySecret", "value", {
enabled: true,
expiresOn: new Date("2025-12-31"),
contentType: "application/json",
tags: { environment: "production" }
});
```
### Get Secret
```typescript
// Get latest version
const secret = await secretClient.getSecret("MySecret");
console.log(secret.value);
// Get specific version
const specificSecret = await secretClient.getSecret("MySecret", {
version: secret.properties.version
});
```
### List Secrets
```typescript
for await (const secretProperties of secretClient.listPropertiesOfSecrets()) {
console.log(secretProperties.name);
}
// List versions
for await (const version of secretClient.listPropertiesOfSecretVersions("MySecret")) {
console.log(version.version);
}
```
### Delete Secret
```typescript
// Soft delete
const deletePoller = await secretClient.beginDeleteSecret("MySecret");
await deletePoller.pollUntilDone();
// Purge (permanent)
await secretClient.purgeDeletedSecret("MySecret");
// Recover
const recoverPoller = await secretClient.beginRecoverDeletedSecret("MySecret");
await recoverPoller.pollUntilDone();
```
## Keys Operations
### Create Keys
```typescript
// Generic key
const key = await keyClient.createKey("MyKey", "RSA");
// RSA key with size
const rsaKey = await keyClient.createRsaKey("MyRsaKey", { keySize: 2048 });
// Elliptic Curve key
const ecKey = await keyClient.createEcKey("MyEcKey", { curve: "P-256" });
// With attributes
const keyWithAttrs = await keyClient.createKey("MyKey", "RSA", {
enabled: true,
expiresOn: new Date("2025-12-31"),
tags: { purpose: "encryption" },
keyOps: ["encrypt", "decrypt", "sign", "verify"]
});
```
### Get Key
```typescript
const key = await keyClient.getKey("MyKey");
console.log(key.name, key.keyType);
```
### List Keys
```typescript
for await (const keyProperties of keyClient.listPropertiesOfKeys()) {
console.log(keyProperties.name);
}
```
### Rotate Key
```typescript
// Manual rotation
const rotatedKey = await keyClient.rotateKey("MyKey");
// Set rotation policy
await keyClient.updateKeyRotationPolicy("MyKey", {
lifetimeActions: [{ action: "Rotate", timeBeforeExpiry: "P30D" }],
expiresIn: "P90D"
});
```
### Delete Key
```typescript
const deletePoller = await keyClient.beginDeleteKey("MyKey");
await deletePoller.pollUntilDone();
// Purge
await keyClient.purgeDeletedKey("MyKey");
```
## Cryptographic Operations
### Create CryptographyClient
```typescript
import { CryptographyClient } from "@azure/keyvault-keys";
// From key object
const cryptoClient = new CryptographyClient(key, credential);
// From key ID
const cryptoClient = new CryptographyClient(key.id!, credential);
```
### Encrypt/Decrypt
```typescript
// Encrypt
const encryptResult = await cryptoClient.encrypt({
algorithm: "RSA-OAEP",
plaintext: Buffer.from("My secret message")
});
// Decrypt
const decryptResult = await cryptoClient.decrypt({
algorithm: "RSA-OAEP",
ciphertext: encryptResult.result
});
console.log(decryptResult.result.toString());
```
### Sign/Verify
```typescript
import { createHash } from "node:crypto";
// Create digest
const hash = createHash("sha256").update("My message").digest();
// Sign
const signResult = await cryptoClient.sign("RS256", hash);
// Verify
const verifyResult = await cryptoClient.verify("RS256", hash, signResult.result);
console.log("Valid:", verifyResult.result);
```
### Wrap/Unwrap Keys
```typescript
// Wrap a key (encrypt it for storage)
const wrapResult = await cryptoClient.wrapKey("RSA-OAEP", Buffer.from("key-material"));
// Unwrap
const unwrapResult = await cryptoClient.unwrapKey("RSA-OAEP", wrapResult.result);
```
## Backup and Restore
```typescript
// Backup
const keyBackup = await keyClient.backupKey("MyKey");
const secretBackup = await secretClient.backupSecret("MySecret");
// Restore (can restore to different vault)
const restoredKey = await keyClient.restoreKeyBackup(keyBackup!);
const restoredSecret = await secretClient.restoreSecretBackup(secretBackup!);
```
## Key Types
```typescript
import {
KeyClient,
KeyVaultKey,
KeyProperties,
DeletedKey,
CryptographyClient,
KnownEncryptionAlgorithms,
KnownSignatureAlgorithms
} from "@azure/keyvault-keys";
import {
SecretClient,
KeyVaultSecret,
SecretProperties,
DeletedSecret
} from "@azure/keyvault-secrets";
```
## Error Handling
```typescript
try {
const secret = await secretClient.getSecret("NonExistent");
} catch (error: any) {
if (error.code === "SecretNotFound") {
console.log("Secret does not exist");
} else {
throw error;
}
}
```
## Best Practices
1. **Use DefaultAzureCredential** - Works across dev and production
2. **Enable soft-delete** - Required for production vaults
3. **Set expiration dates** - On both keys and secrets
4. **Use key rotation policies** - Automate key rotation
5. **Limit key operations** - Only grant needed operations (encrypt, sign, etc.)
6. **Browser not supported** - These SDKs are Node.js onlyRelated Skills
vault-secrets-integrator
Vault Secrets Integrator - Auto-activating skill for DevOps Advanced. Triggers on: vault secrets integrator, vault secrets integrator Part of the DevOps Advanced skill category.
integrating-secrets-managers
This skill enables Claude to seamlessly integrate with various secrets managers like HashiCorp Vault and AWS Secrets Manager. It generates configurations and setup code, ensuring best practices for secure credential management. Use this skill when you need to manage sensitive information, generate production-ready configurations, or implement a security-first approach for your DevOps infrastructure. Trigger terms include "integrate secrets manager", "configure Vault", "AWS Secrets Manager setup", "manage credentials securely", or requests for secure configuration generation.
kubernetes-secrets-manager
Kubernetes Secrets Manager - Auto-activating skill for DevOps Advanced. Triggers on: kubernetes secrets manager, kubernetes secrets manager Part of the DevOps Advanced skill category.
azure-ml-deployer
Azure Ml Deployer - Auto-activating skill for ML Deployment. Triggers on: azure ml deployer, azure ml deployer Part of the ML Deployment skill category.
secrets-manager
AWS Secrets Manager for secure secret storage and rotation. Use when storing credentials, configuring automatic rotation, managing secret versions, retrieving secrets in applications, or integrating with RDS.
azure-verified-modules
Azure Verified Modules (AVM) requirements and best practices for developing certified Azure Terraform modules. Use when creating or reviewing Azure modules that need AVM certification.
azure-image-builder
Build Azure managed images and Azure Compute Gallery images with Packer. Use when creating custom images for Azure VMs.
terraform-azurerm-set-diff-analyzer
Analyze Terraform plan JSON output for AzureRM Provider to distinguish between false-positive diffs (order-only changes in Set-type attributes) and actual resource changes. Use when reviewing terraform plan output for Azure resources like Application Gateway, Load Balancer, Firewall, Front Door, NSG, and other resources with Set-type attributes that cause spurious diffs due to internal ordering changes.
azure-static-web-apps
Helps create, configure, and deploy Azure Static Web Apps using the SWA CLI. Use when deploying static sites to Azure, setting up SWA local development, configuring staticwebapp.config.json, adding Azure Functions APIs to SWA, or setting up GitHub Actions CI/CD for Static Web Apps.
azure-resource-health-diagnose
Analyze Azure resource health, diagnose issues from logs and telemetry, and create a remediation plan for identified problems.
azure-pricing
Fetches real-time Azure retail pricing using the Azure Retail Prices API (prices.azure.com) and estimates Copilot Studio agent credit consumption. Use when the user asks about the cost of any Azure service, wants to compare SKU prices, needs pricing data for a cost estimate, mentions Azure pricing, Azure costs, Azure billing, or asks about Copilot Studio pricing, Copilot Credits, or agent usage estimation. Covers compute, storage, networking, databases, AI, Copilot Studio, and all other Azure service families.
azure-devops-cli
Manage Azure DevOps resources via CLI including projects, repos, pipelines, builds, pull requests, work items, artifacts, and service endpoints. Use when working with Azure DevOps, az commands, devops automation, CI/CD, or when user mentions Azure DevOps CLI.