UNPKG

@azure/keyvault-secrets

Version:

Azure Key Vault Secrets

github.com/Azure/azure-sdk-for-js/tree/main/sdk/keyvault/keyvault-secrets/README.md

Azure/azure-sdk-for-js

587 lines (586 loc) • 22.2 kB

JavaScript

var __defProp = Object.defineProperty; var __getOwnPropDesc = Object.getOwnPropertyDescriptor; var __getOwnPropNames = Object.getOwnPropertyNames; var __hasOwnProp = Object.prototype.hasOwnProperty; var __export = (target, all) => { for (var name in all) __defProp(target, name, { get: all[name], enumerable: true }); }; var __copyProps = (to, from, except, desc) => { if (from && typeof from === "object" || typeof from === "function") { for (let key of __getOwnPropNames(from)) if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable }); } return to; }; var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod); var src_exports = {}; __export(src_exports, { KnownContentType: () => import_models.KnownContentType, KnownDeletionRecoveryLevel: () => import_models.KnownDeletionRecoveryLevel, SecretClient: () => SecretClient, logger: () => import_logger.logger, parseKeyVaultSecretIdentifier: () => import_identifier.parseKeyVaultSecretIdentifier }); module.exports = __toCommonJS(src_exports); var import_logger = require("./logger.js"); var import_keyVaultClient = require("./keyVaultClient.js"); var import_keyvault_common = require("@azure/keyvault-common"); var import_secretsModels = require("./secretsModels.js"); var import_models = require("./models/models.js"); var import_identifier = require("./identifier.js"); var import_transformations = require("./transformations.js"); var import_tracing = require("./tracing.js"); var import_core_rest_pipeline = require("@azure/core-rest-pipeline"); var import_constants = require("./constants.js"); var import_poller = require("./lro/delete/poller.js"); var import_poller2 = require("./lro/recover/poller.js"); class SecretClient { /** * The base URL to the vault */ vaultUrl; /** * A reference to the auto-generated KeyVault HTTP client. */ client; /** * Creates an instance of SecretClient. * * Example usage: * ```ts snippet:ReadmeSampleCreateClient * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * // Build the URL to reach your key vault * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * // Lastly, create our secrets client and connect to the service * const client = new SecretClient(url, credential); * ``` * @param vaultUrl - The base URL to the vault. You should validate that this URL references a valid Key Vault resource. See https://aka.ms/azsdk/blog/vault-uri for details. * @param credential - An object that implements the `TokenCredential` interface used to authenticate requests to the service. Use the \@azure/identity package to create a credential that suits your needs. * @param pipelineOptions - Pipeline options used to configure Key Vault API requests. * Omit this parameter to use the default pipeline configuration. */ constructor(vaultUrl, credential, pipelineOptions = {}) { this.vaultUrl = vaultUrl; const internalPipelineOptions = { ...pipelineOptions, userAgentOptions: { userAgentPrefix: `${pipelineOptions.userAgentOptions?.userAgentPrefix ?? ""} azsdk-js-keyvault-secrets/${import_constants.SDK_VERSION}` }, apiVersion: pipelineOptions.serviceVersion || import_secretsModels.LATEST_API_VERSION, loggingOptions: { logger: import_logger.logger.info, additionalAllowedHeaderNames: [ "x-ms-keyvault-region", "x-ms-keyvault-network-info", "x-ms-keyvault-service-version" ] } }; this.client = new import_keyVaultClient.KeyVaultClient(this.vaultUrl, credential, internalPipelineOptions); this.client.pipeline.removePolicy({ name: import_core_rest_pipeline.bearerTokenAuthenticationPolicyName }); this.client.pipeline.addPolicy((0, import_keyvault_common.keyVaultAuthenticationPolicy)(credential, pipelineOptions), {}); this.client.pipeline.addPolicy({ name: "ContentTypePolicy", sendRequest(request, next) { const contentType = request.headers.get("Content-Type") ?? ""; if (contentType.startsWith("application/json")) { request.headers.set("Content-Type", "application/json"); } return next(request); } }); } /** * The setSecret method adds a secret or secret version to the Azure Key Vault. If the named secret * already exists, Azure Key Vault creates a new version of that secret. * This operation requires the secrets/set permission. * * Example usage: * ```ts snippet:ReadmeSampleCreateSecret * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * const result = await client.setSecret(secretName, "MySecretValue"); * console.log("result: ", result); * ``` * Adds a secret in a specified key vault. * @param secretName - The name of the secret. * @param value - The value of the secret. * @param options - The optional parameters. */ setSecret(secretName, value, options = {}) { const { contentType, enabled, notBefore, expiresOn: expires, tags, ...remainingOptions } = options; return import_tracing.tracingClient.withSpan( "SecretClient.setSecret", remainingOptions, async (updatedOptions) => { const response = await this.client.setSecret( secretName, { value, contentType, secretAttributes: { enabled, notBefore, expires }, tags }, updatedOptions ); return (0, import_transformations.getSecretFromSecretBundle)(response); } ); } /** * Deletes a secret stored in Azure Key Vault. * This function returns a Long Running Operation poller that allows you to wait indefinitely until the secret is deleted. * * This operation requires the secrets/delete permission. * * Example usage: * ```ts snippet:ReadmeSampleDeleteSecret * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * await client.beginDeleteSecret(secretName); * ``` * Deletes a secret from a specified key vault. * @param secretName - The name of the secret. * @param options - The optional parameters. */ async beginDeleteSecret(name, options = {}) { const poller = new import_poller.DeleteSecretPoller({ name, client: this.client, ...options, operationOptions: options }); await poller.poll(); return poller; } /** * The updateSecret method changes specified attributes of an existing stored secret. Properties that * are not specified in the request are left unchanged. The value of a secret itself cannot be * changed. This operation requires the secrets/set permission. * * Example usage: * ```ts snippet:ReadmeSampleUpdateSecretAttributes * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * const result = await client.getSecret(secretName); * await client.updateSecretProperties(secretName, result.properties.version, { enabled: false }); * ``` * Updates the attributes associated with a specified secret in a given key vault. * @param secretName - The name of the secret. * @param secretVersion - The version of the secret. * @param options - The optional parameters. */ async updateSecretProperties(secretName, secretVersion, options = {}) { const { contentType, enabled, notBefore, expiresOn: expires, tags, ...remainingOptions } = options; return import_tracing.tracingClient.withSpan( "SecretClient.updateSecretProperties", remainingOptions, async (updatedOptions) => { const response = await this.client.updateSecret( secretName, secretVersion, { contentType, secretAttributes: { enabled, notBefore, expires }, tags }, updatedOptions ); return (0, import_transformations.getSecretFromSecretBundle)(response).properties; } ); } /** * The getSecret method is applicable to any secret stored in Azure Key Vault. This operation requires * the secrets/get permission. * * Example usage: * ```ts snippet:ReadmeSampleGetSecret * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * const latestSecret = await client.getSecret(secretName); * console.log(`Latest version of the secret ${secretName}: `, latestSecret); * * const specificSecret = await client.getSecret(secretName, { * version: latestSecret.properties.version!, * }); * console.log( * `The secret ${secretName} at the version ${latestSecret.properties.version!}: `, * specificSecret, * ); * ``` * Get a specified secret from a given key vault. * @param secretName - The name of the secret. * @param options - The optional parameters. */ getSecret(secretName, options = {}) { return import_tracing.tracingClient.withSpan("SecretClient.getSecret", options, async (updatedOptions) => { const response = await this.client.getSecret( secretName, options && options.version ? options.version : "", updatedOptions ); return (0, import_transformations.getSecretFromSecretBundle)(response); }); } /** * The getDeletedSecret method returns the specified deleted secret along with its attributes. * This operation requires the secrets/get permission. * * Example usage: * ```ts snippet:ReadmeSampleGetDeletedSecret * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * const result = await client.getDeletedSecret("MyDeletedSecret"); * ``` * Gets the specified deleted secret. * @param secretName - The name of the secret. * @param options - The optional parameters. */ getDeletedSecret(secretName, options = {}) { return import_tracing.tracingClient.withSpan( "SecretClient.getDeletedSecret", options, async (updatedOptions) => { const response = await this.client.getDeletedSecret(secretName, updatedOptions); return (0, import_transformations.getSecretFromSecretBundle)(response); } ); } /** * The purge deleted secret operation removes the secret permanently, without the possibility of * recovery. This operation can only be enabled on a soft-delete enabled vault. This operation * requires the secrets/purge permission. * * Example usage: * ```ts snippet:ReadmeSamplePurgeDeletedSecret * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * const deletePoller = await client.beginDeleteSecret(secretName); * await deletePoller.pollUntilDone(); * * await client.purgeDeletedSecret(secretName); * ``` * Permanently deletes the specified secret. * @param secretName - The name of the secret. * @param options - The optional parameters. */ purgeDeletedSecret(secretName, options = {}) { return import_tracing.tracingClient.withSpan( "SecretClient.purgeDeletedSecret", options, async (updatedOptions) => { await this.client.purgeDeletedSecret(secretName, updatedOptions); } ); } /** * Recovers the deleted secret in the specified vault. * This function returns a Long Running Operation poller that allows you to wait indefinitely until the secret is recovered. * * This operation requires the secrets/recover permission. * * Example usage: * ```ts snippet:ReadmeSampleRecoverDeletedSecret * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * const deletePoller = await client.beginDeleteSecret(secretName); * await deletePoller.pollUntilDone(); * * const recoverPoller = await client.beginRecoverDeletedSecret(secretName); * const deletedSecret = await recoverPoller.pollUntilDone(); * console.log(deletedSecret); * ``` * Recovers the deleted secret to the latest version. * @param secretName - The name of the deleted secret. * @param options - The optional parameters. */ async beginRecoverDeletedSecret(name, options = {}) { const poller = new import_poller2.RecoverDeletedSecretPoller({ name, client: this.client, ...options, operationOptions: options }); await poller.poll(); return poller; } /** * Requests that a backup of the specified secret be downloaded to the client. All versions of the * secret will be downloaded. This operation requires the secrets/backup permission. * * Example usage: * ```ts snippet:ReadmeSampleBackupSecret * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * const backupResult = await client.backupSecret(secretName); * ``` * Backs up the specified secret. * @param secretName - The name of the secret. * @param options - The optional parameters. */ backupSecret(secretName, options = {}) { return import_tracing.tracingClient.withSpan("SecretClient.backupSecret", options, async (updatedOptions) => { const response = await this.client.backupSecret(secretName, updatedOptions); return response.value; }); } /** * Restores a backed up secret, and all its versions, to a vault. This operation requires the * secrets/restore permission. * * Example usage: * ```ts snippet:ReadmeSampleRestoreSecret * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * const backupResult = await client.backupSecret(secretName); * * await client.restoreSecretBackup(backupResult); * ``` * Restores a backed up secret to a vault. * @param secretBundleBackup - The backup blob associated with a secret bundle. * @param options - The optional parameters. */ restoreSecretBackup(secretBundleBackup, options = {}) { return import_tracing.tracingClient.withSpan( "SecretClient.restoreSecretBackup", options, async (updatedOptions) => { const response = await this.client.restoreSecret({ secretBundleBackup }, updatedOptions); return (0, import_transformations.getSecretFromSecretBundle)(response).properties; } ); } /** * Iterates all versions of the given secret in the vault. The full secret identifier and attributes are provided * in the response. No values are returned for the secrets. This operations requires the secrets/list permission. * * Example usage: * ```ts snippet:ReadmeSampleListSecrets * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * for await (const secretProperties of client.listPropertiesOfSecrets()) { * console.log("Secret properties: ", secretProperties); * } * * for await (const deletedSecret of client.listDeletedSecrets()) { * console.log("Deleted secret: ", deletedSecret); * } * * for await (const versionProperties of client.listPropertiesOfSecretVersions(secretName)) { * console.log("Version properties: ", versionProperties); * } * ``` * @param secretName - Name of the secret to fetch versions for. * @param options - The optional parameters. */ listPropertiesOfSecretVersions(secretName, options = {}) { return (0, import_transformations.mapPagedAsyncIterable)( (updatedOptions) => this.client.getSecretVersions(secretName, updatedOptions), options, (item) => (0, import_transformations.getSecretFromSecretBundle)(item).properties ); } /** * Iterates the latest version of all secrets in the vault. The full secret identifier and attributes are provided * in the response. No values are returned for the secrets. This operations requires the secrets/list permission. * * Example usage: * ```ts snippet:ReadmeSampleListSecrets * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * for await (const secretProperties of client.listPropertiesOfSecrets()) { * console.log("Secret properties: ", secretProperties); * } * * for await (const deletedSecret of client.listDeletedSecrets()) { * console.log("Deleted secret: ", deletedSecret); * } * * for await (const versionProperties of client.listPropertiesOfSecretVersions(secretName)) { * console.log("Version properties: ", versionProperties); * } * ``` * List all secrets in the vault. * @param options - The optional parameters. */ listPropertiesOfSecrets(options = {}) { return (0, import_transformations.mapPagedAsyncIterable)( this.client.getSecrets.bind(this.client), options, (item) => (0, import_transformations.getSecretFromSecretBundle)(item).properties ); } /** * Iterates the deleted secrets in the vault. The full secret identifier and attributes are provided * in the response. No values are returned for the secrets. This operations requires the secrets/list permission. * * Example usage: * ```ts snippet:ReadmeSampleListSecrets * import { DefaultAzureCredential } from "@azure/identity"; * import { SecretClient } from "@azure/keyvault-secrets"; * * const credential = new DefaultAzureCredential(); * * const vaultName = "<YOUR KEYVAULT NAME>"; * const url = `https://${vaultName}.vault.azure.net`; * * const client = new SecretClient(url, credential); * * const secretName = "MySecretName"; * * for await (const secretProperties of client.listPropertiesOfSecrets()) { * console.log("Secret properties: ", secretProperties); * } * * for await (const deletedSecret of client.listDeletedSecrets()) { * console.log("Deleted secret: ", deletedSecret); * } * * for await (const versionProperties of client.listPropertiesOfSecretVersions(secretName)) { * console.log("Version properties: ", versionProperties); * } * ``` * List all secrets in the vault. * @param options - The optional parameters. */ listDeletedSecrets(options = {}) { return (0, import_transformations.mapPagedAsyncIterable)( this.client.getDeletedSecrets.bind(this.client), options, import_transformations.getSecretFromSecretBundle ); } } // Annotate the CommonJS export names for ESM import in node: 0 && (module.exports = { KnownContentType, KnownDeletionRecoveryLevel, SecretClient, logger, parseKeyVaultSecretIdentifier }); //# sourceMappingURL=index.js.map