How do I install Azure Security Keyvault Secrets Java?

Install Azure Security Keyvault Secrets Java with a single command: npx mdskills install sickn33/azure-security-keyvault-secrets-java. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Azure Security Keyvault Secrets Java?

Azure Security Keyvault Secrets Java works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Azure Security Keyvault Secrets Java

Name: Azure Security Keyvault Secrets Java: AI Agent Skill
Rating: 6 (1 reviews)
Author: sickn33

Intermediate

Azure Key Vault Secrets Java SDK for secret management. Use when storing, retrieving, or managing passwords, API keys, connection strings, or other sensitive configuration data.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/azure-security-keyvault-secrets-java

Fork & Edit

Skill Advisor6.0

Comprehensive Java SDK reference with extensive examples but lacks AI agent workflow instructions

+Provides thorough code examples covering all major operations and patterns
+Includes practical patterns like secret rotation and configuration loading
+Documents error handling, async operations, and best practices clearly
-Missing trigger conditions and step-by-step agent instructions for typical workflows
-Over-scoped permissions: shell execution not needed for SDK operations

SKILL.md

Edit in Browser

1---
2name: azure-security-keyvault-secrets-java
3description: Azure Key Vault Secrets Java SDK for secret management. Use when storing, retrieving, or managing passwords, API keys, connection strings, or other sensitive configuration data.
4package: com.azure:azure-security-keyvault-secrets
5---
6 
7# Azure Key Vault Secrets (Java)
8 
9Securely store and manage secrets like passwords, API keys, and connection strings.
10 
11## Installation
12 
13```xml
14<dependency>
15    <groupId>com.azure</groupId>
16    <artifactId>azure-security-keyvault-secrets</artifactId>
17    <version>4.9.0</version>
18</dependency>
19```
20 
21## Client Creation
22 
23```java
24import com.azure.security.keyvault.secrets.SecretClient;
25import com.azure.security.keyvault.secrets.SecretClientBuilder;
26import com.azure.identity.DefaultAzureCredentialBuilder;
27 
28// Sync client
29SecretClient secretClient = new SecretClientBuilder()
30    .vaultUrl("https://<vault-name>.vault.azure.net")
31    .credential(new DefaultAzureCredentialBuilder().build())
32    .buildClient();
33 
34// Async client
35SecretAsyncClient secretAsyncClient = new SecretClientBuilder()
36    .vaultUrl("https://<vault-name>.vault.azure.net")
37    .credential(new DefaultAzureCredentialBuilder().build())
38    .buildAsyncClient();
39```
40 
41## Create/Set Secret
42 
43```java
44import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
45 
46// Simple secret
47KeyVaultSecret secret = secretClient.setSecret("database-password", "P@ssw0rd123!");
48System.out.println("Secret name: " + secret.getName());
49System.out.println("Secret ID: " + secret.getId());
50 
51// Secret with options
52KeyVaultSecret secretWithOptions = secretClient.setSecret(
53    new KeyVaultSecret("api-key", "sk_live_abc123xyz")
54        .setProperties(new SecretProperties()
55            .setContentType("application/json")
56            .setExpiresOn(OffsetDateTime.now().plusYears(1))
57            .setNotBefore(OffsetDateTime.now())
58            .setEnabled(true)
59            .setTags(Map.of(
60                "environment", "production",
61                "service", "payment-api"
62            ))
63        )
64);
65```
66 
67## Get Secret
68 
69```java
70// Get latest version
71KeyVaultSecret secret = secretClient.getSecret("database-password");
72String value = secret.getValue();
73System.out.println("Secret value: " + value);
74 
75// Get specific version
76KeyVaultSecret specificVersion = secretClient.getSecret("database-password", "<version-id>");
77 
78// Get only properties (no value)
79SecretProperties props = secretClient.getSecret("database-password").getProperties();
80System.out.println("Enabled: " + props.isEnabled());
81System.out.println("Created: " + props.getCreatedOn());
82```
83 
84## Update Secret Properties
85 
86```java
87// Get secret
88KeyVaultSecret secret = secretClient.getSecret("api-key");
89 
90// Update properties (cannot update value - create new version instead)
91secret.getProperties()
92    .setEnabled(false)
93    .setExpiresOn(OffsetDateTime.now().plusMonths(6))
94    .setTags(Map.of("status", "rotating"));
95 
96SecretProperties updated = secretClient.updateSecretProperties(secret.getProperties());
97System.out.println("Updated: " + updated.getUpdatedOn());
98```
99 
100## List Secrets
101 
102```java
103import com.azure.core.util.paging.PagedIterable;
104import com.azure.security.keyvault.secrets.models.SecretProperties;
105 
106// List all secrets (properties only, no values)
107for (SecretProperties secretProps : secretClient.listPropertiesOfSecrets()) {
108    System.out.println("Secret: " + secretProps.getName());
109    System.out.println("  Enabled: " + secretProps.isEnabled());
110    System.out.println("  Created: " + secretProps.getCreatedOn());
111    System.out.println("  Content-Type: " + secretProps.getContentType());
112    
113    // Get value if needed
114    if (secretProps.isEnabled()) {
115        KeyVaultSecret fullSecret = secretClient.getSecret(secretProps.getName());
116        System.out.println("  Value: " + fullSecret.getValue().substring(0, 5) + "...");
117    }
118}
119 
120// List versions of a secret
121for (SecretProperties version : secretClient.listPropertiesOfSecretVersions("database-password")) {
122    System.out.println("Version: " + version.getVersion());
123    System.out.println("Created: " + version.getCreatedOn());
124    System.out.println("Enabled: " + version.isEnabled());
125}
126```
127 
128## Delete Secret
129 
130```java
131import com.azure.core.util.polling.SyncPoller;
132import com.azure.security.keyvault.secrets.models.DeletedSecret;
133 
134// Begin delete (returns poller for soft-delete enabled vaults)
135SyncPoller<DeletedSecret, Void> deletePoller = secretClient.beginDeleteSecret("old-secret");
136 
137// Wait for deletion
138DeletedSecret deletedSecret = deletePoller.poll().getValue();
139System.out.println("Deleted on: " + deletedSecret.getDeletedOn());
140System.out.println("Scheduled purge: " + deletedSecret.getScheduledPurgeDate());
141 
142deletePoller.waitForCompletion();
143```
144 
145## Recover Deleted Secret
146 
147```java
148// List deleted secrets
149for (DeletedSecret deleted : secretClient.listDeletedSecrets()) {
150    System.out.println("Deleted: " + deleted.getName());
151    System.out.println("Deletion date: " + deleted.getDeletedOn());
152}
153 
154// Recover deleted secret
155SyncPoller<KeyVaultSecret, Void> recoverPoller = secretClient.beginRecoverDeletedSecret("old-secret");
156recoverPoller.waitForCompletion();
157 
158KeyVaultSecret recovered = recoverPoller.getFinalResult();
159System.out.println("Recovered: " + recovered.getName());
160```
161 
162## Purge Deleted Secret
163 
164```java
165// Permanently delete (cannot be recovered)
166secretClient.purgeDeletedSecret("old-secret");
167 
168// Get deleted secret info first
169DeletedSecret deleted = secretClient.getDeletedSecret("old-secret");
170System.out.println("Will purge: " + deleted.getName());
171secretClient.purgeDeletedSecret("old-secret");
172```
173 
174## Backup and Restore
175 
176```java
177// Backup secret (all versions)
178byte[] backup = secretClient.backupSecret("important-secret");
179 
180// Save to file
181Files.write(Paths.get("secret-backup.blob"), backup);
182 
183// Restore from backup
184byte[] backupData = Files.readAllBytes(Paths.get("secret-backup.blob"));
185KeyVaultSecret restored = secretClient.restoreSecretBackup(backupData);
186System.out.println("Restored: " + restored.getName());
187```
188 
189## Async Operations
190 
191```java
192SecretAsyncClient asyncClient = new SecretClientBuilder()
193    .vaultUrl("https://<vault>.vault.azure.net")
194    .credential(new DefaultAzureCredentialBuilder().build())
195    .buildAsyncClient();
196 
197// Set secret async
198asyncClient.setSecret("async-secret", "async-value")
199    .subscribe(
200        secret -> System.out.println("Created: " + secret.getName()),
201        error -> System.out.println("Error: " + error.getMessage())
202    );
203 
204// Get secret async
205asyncClient.getSecret("async-secret")
206    .subscribe(secret -> System.out.println("Value: " + secret.getValue()));
207 
208// List secrets async
209asyncClient.listPropertiesOfSecrets()
210    .doOnNext(props -> System.out.println("Found: " + props.getName()))
211    .subscribe();
212```
213 
214## Configuration Patterns
215 
216### Load Multiple Secrets
217 
218```java
219public class ConfigLoader {
220    private final SecretClient client;
221    
222    public ConfigLoader(String vaultUrl) {
223        this.client = new SecretClientBuilder()
224            .vaultUrl(vaultUrl)
225            .credential(new DefaultAzureCredentialBuilder().build())
226            .buildClient();
227    }
228    
229    public Map<String, String> loadSecrets(List<String> secretNames) {
230        Map<String, String> secrets = new HashMap<>();
231        for (String name : secretNames) {
232            try {
233                KeyVaultSecret secret = client.getSecret(name);
234                secrets.put(name, secret.getValue());
235            } catch (ResourceNotFoundException e) {
236                System.out.println("Secret not found: " + name);
237            }
238        }
239        return secrets;
240    }
241}
242 
243// Usage
244ConfigLoader loader = new ConfigLoader("https://my-vault.vault.azure.net");
245Map<String, String> config = loader.loadSecrets(
246    Arrays.asList("db-connection-string", "api-key", "jwt-secret")
247);
248```
249 
250### Secret Rotation Pattern
251 
252```java
253public void rotateSecret(String secretName, String newValue) {
254    // Get current secret
255    KeyVaultSecret current = secretClient.getSecret(secretName);
256    
257    // Disable old version
258    current.getProperties().setEnabled(false);
259    secretClient.updateSecretProperties(current.getProperties());
260    
261    // Create new version with new value
262    KeyVaultSecret newSecret = secretClient.setSecret(secretName, newValue);
263    System.out.println("Rotated to version: " + newSecret.getProperties().getVersion());
264}
265```
266 
267## Error Handling
268 
269```java
270import com.azure.core.exception.HttpResponseException;
271import com.azure.core.exception.ResourceNotFoundException;
272 
273try {
274    KeyVaultSecret secret = secretClient.getSecret("my-secret");
275    System.out.println("Value: " + secret.getValue());
276} catch (ResourceNotFoundException e) {
277    System.out.println("Secret not found");
278} catch (HttpResponseException e) {
279    int status = e.getResponse().getStatusCode();
280    if (status == 403) {
281        System.out.println("Access denied - check permissions");
282    } else if (status == 429) {
283        System.out.println("Rate limited - retry later");
284    } else {
285        System.out.println("HTTP error: " + status);
286    }
287}
288```
289 
290## Secret Properties
291 
292| Property | Description |
293|----------|-------------|
294| `name` | Secret name |
295| `value` | Secret value (string) |
296| `id` | Full identifier URL |
297| `contentType` | MIME type hint |
298| `enabled` | Whether secret can be retrieved |
299| `notBefore` | Activation time |
300| `expiresOn` | Expiration time |
301| `createdOn` | Creation timestamp |
302| `updatedOn` | Last update timestamp |
303| `recoveryLevel` | Soft-delete recovery level |
304| `tags` | User-defined metadata |
305 
306## Environment Variables
307 
308```bash
309AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net
310```
311 
312## Best Practices
313 
3141. **Enable Soft Delete** - Protects against accidental deletion
3152. **Use Tags** - Tag secrets with environment, service, owner
3163. **Set Expiration** - Use `setExpiresOn()` for credentials that should rotate
3174. **Content Type** - Set `contentType` to indicate format (e.g., `application/json`)
3185. **Version Management** - Don't delete old versions immediately during rotation
3196. **Access Logging** - Enable diagnostic logging on Key Vault
3207. **Least Privilege** - Use separate vaults for different environments
321 
322## Common Secret Types
323 
324```java
325// Database connection string
326secretClient.setSecret(new KeyVaultSecret("db-connection", 
327    "Server=myserver.database.windows.net;Database=mydb;...")
328    .setProperties(new SecretProperties()
329        .setContentType("text/plain")
330        .setTags(Map.of("type", "connection-string"))));
331 
332// API key
333secretClient.setSecret(new KeyVaultSecret("stripe-api-key", "sk_live_...")
334    .setProperties(new SecretProperties()
335        .setContentType("text/plain")
336        .setExpiresOn(OffsetDateTime.now().plusYears(1))));
337 
338// JSON configuration
339secretClient.setSecret(new KeyVaultSecret("app-config", 
340    "{\"endpoint\":\"https://...\",\"key\":\"...\"}")
341    .setProperties(new SecretProperties()
342        .setContentType("application/json")));
343 
344// Certificate password
345secretClient.setSecret(new KeyVaultSecret("cert-password", "CertP@ss!")
346    .setProperties(new SecretProperties()
347        .setContentType("text/plain")
348        .setTags(Map.of("certificate", "my-cert"))));
349```
350 
351## Trigger Phrases
352 
353- "Key Vault secrets Java", "secret management Java"
354- "store password", "store API key", "connection string"
355- "retrieve secret", "rotate secret"
356- "Azure secrets", "vault secrets"
357

Full transparency — inspect the skill content before installing.