Categorygithub.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys
modulepackage
1.3.1
Repository: https://github.com/azure/azure-sdk-for-go.git
Documentation: pkg.go.dev
Overview
Versions
2
Dependencies
13
Dependents
38
Files
3k SLOC

# README

Azure Key Vault Keys client module for Go

  • Cryptographic key management (this module) - create, store, and control access to the keys used to encrypt your data
  • Managed HSM administration (azadmin) - role-based access control (RBAC), settings, and vault-level backup and restore options
  • Certificate management (azcertificates) - create, manage, and deploy public and private SSL/TLS certificates
  • Secrets management (azsecrets) - securely store and control access to tokens, passwords, certificates, API keys, and other secrets

Source code | Package (pkg.go.dev) | Product documentation | Samples

Getting started

Install packages

Install azkeys and azidentity with go get:

go get github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys
go get github.com/Azure/azure-sdk-for-go/sdk/azidentity

azidentity is used for Azure Active Directory authentication as demonstrated below.

Prerequisites

  • An Azure subscription
  • A supported Go version (the Azure SDK supports the two most recent Go releases)
  • A key vault. If you need to create one, see the Key Vault documentation for instructions on doing so in the Azure Portal or with the Azure CLI.

Authentication

This document demonstrates using azidentity.NewDefaultAzureCredential to authenticate. This credential type works in both local development and production environments. We recommend using a managed identity in production.

Client accepts any azidentity credential. See the azidentity documentation for more information about other credential types.

Create a client

Constructing the client requires your vault's URL, which you can get from the Azure CLI or the Azure Portal.

import (
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys"
)

func main() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		// TODO: handle error
	}

	client, err := azkeys.NewClient("https://<TODO: your vault name>.vault.azure.net", cred, nil)
	if err != nil {
		// TODO: handle error
	}
}

Key concepts

Keys

Azure Key Vault can create and store RSA and elliptic curve keys. Both can optionally be protected by hardware security modules (HSMs). Azure Key Vault can also perform cryptographic operations with them. For more information about keys and supported operations and algorithms, see the Key Vault documentation.

Client can create keys in the vault, get existing keys from the vault, update key metadata, and delete keys, as shown in the examples below.

Examples

Get started with our examples.

Troubleshooting

Error Handling

All methods which send HTTP requests return *azcore.ResponseError when these requests fail. ResponseError has error details and the raw response from Key Vault.

import "github.com/Azure/azure-sdk-for-go/sdk/azcore"

resp, err := client.GetKey(context.Background(), "keyName", nil)
if err != nil {
    var httpErr *azcore.ResponseError
    if errors.As(err, &httpErr) {
        // TODO: investigate httpErr
    } else {
        // TODO: not an HTTP error
    }
}

Logging

This module uses the logging implementation in azcore. To turn on logging for all Azure SDK modules, set AZURE_SDK_GO_LOGGING to all. By default the logger writes to stderr. Use the azcore/log package to control log output. For example, logging only HTTP request and response events, and printing them to stdout:

import azlog "github.com/Azure/azure-sdk-for-go/sdk/azcore/log"

// Print log events to stdout
azlog.SetListener(func(cls azlog.Event, msg string) {
	fmt.Println(msg)
})

// Includes only requests and responses in logs
azlog.SetEvents(azlog.EventRequest, azlog.EventResponse)

Accessing http.Response

You can access the raw *http.Response returned by Key Vault using the runtime.WithCaptureResponse method and a context passed to any client method.

import "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"

var response *http.Response
ctx := runtime.WithCaptureResponse(context.TODO(), &response)
_, err = client.GetKey(ctx, "keyName", nil)
if err != nil {
    // TODO: handle error
}
// TODO: do something with response

Additional Documentation

For more extensive documentation on Azure Key Vault, see the API reference documentation.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

# Functions

NewClient creates a client that accesses a Key Vault's keys.
PossibleCurveNameValues returns the possible values for the CurveName const type.
PossibleEncryptionAlgorithmValues returns the possible values for the EncryptionAlgorithm const type.
PossibleKeyEncryptionAlgorithmValues returns the possible values for the KeyEncryptionAlgorithm const type.
PossibleKeyOperationValues returns the possible values for the KeyOperation const type.
PossibleKeyRotationPolicyActionValues returns the possible values for the KeyRotationPolicyAction const type.
PossibleKeyTypeValues returns the possible values for the KeyType const type.
PossibleSignatureAlgorithmValues returns the possible values for the SignatureAlgorithm const type.

# Constants

CurveNameP256 - The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.
CurveNameP256K - The SECG SECP256K1 elliptic curve.
CurveNameP384 - The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.
CurveNameP521 - The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.
EncryptionAlgorithmA128CBC - 128-bit AES-CBC.
EncryptionAlgorithmA128CBCPAD - 128-bit AES-CBC with PKCS padding.
EncryptionAlgorithmA128GCM - 128-bit AES-GCM.
EncryptionAlgorithmA128KW - 128-bit AES key wrap.
EncryptionAlgorithmA192CBC - 192-bit AES-CBC.
EncryptionAlgorithmA192CBCPAD - 192-bit AES-CBC with PKCS padding.
EncryptionAlgorithmA192GCM - 192-bit AES-GCM.
EncryptionAlgorithmA192KW - 192-bit AES key wrap.
EncryptionAlgorithmA256CBC - 256-bit AES-CBC.
EncryptionAlgorithmA256CBCPAD - 256-bit AES-CBC with PKCS padding.
EncryptionAlgorithmA256GCM - 256-bit AES-GCM.
EncryptionAlgorithmA256KW - 256-bit AES key wrap.
EncryptionAlgorithmRSA15 - RSAES-PKCS1-V1_5 key encryption, as described in https://tools.ietf.org/html/rfc3447.
EncryptionAlgorithmRSAOAEP - RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in Section A.2.1.
EncryptionAlgorithmRSAOAEP256 - RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask generation function of MGF1 with SHA-256.
KeyEncryptionAlgorithmCKMRSAAESKEYWRAP - The CKM_RSA_AES_KEY_WRAP key wrap mechanism.
KeyEncryptionAlgorithmRSAAESKEYWRAP256 - The RSA_AES_KEY_WRAP_256 key wrap mechanism.
KeyEncryptionAlgorithmRSAAESKEYWRAP384 - The RSA_AES_KEY_WRAP_384 key wrap mechanism.
KeyOperationDecrypt - Indicates that the key can be used to decrypt.
KeyOperationEncrypt - Indicates that the key can be used to encrypt.
KeyOperationImport - Indicates that the key can be imported during creation.
KeyOperationSign - Indicates that the key can be used to sign.
KeyOperationUnwrapKey - Indicates that the key can be used to unwrap another key.
KeyOperationVerify - Indicates that the key can be used to verify.
KeyOperationWrapKey - Indicates that the key can be used to wrap another key.
KeyRotationPolicyActionNotify - Trigger Event Grid events.
KeyRotationPolicyActionRotate - Rotate the key based on the key policy.
KeyTypeEC - Elliptic Curve.
KeyTypeECHSM - Elliptic Curve with a private key which is stored in the HSM.
KeyTypeOct - Octet sequence (used to represent symmetric keys).
KeyTypeOctHSM - Octet sequence (used to represent symmetric keys) which is stored the HSM.
KeyTypeRSA - RSA (https://tools.ietf.org/html/rfc3447).
KeyTypeRSAHSM - RSA with a private key which is stored in the HSM.
SignatureAlgorithmES256 - ECDSA using P-256 and SHA-256, as described in https://tools.ietf.org/html/rfc7518.
SignatureAlgorithmES256K - ECDSA using P-256K and SHA-256, as described in https://tools.ietf.org/html/rfc7518.
SignatureAlgorithmES384 - ECDSA using P-384 and SHA-384, as described in https://tools.ietf.org/html/rfc7518.
SignatureAlgorithmES512 - ECDSA using P-521 and SHA-512, as described in https://tools.ietf.org/html/rfc7518.
SignatureAlgorithmPS256 - RSASSA-PSS using SHA-256 and MGF1 with SHA-256, as described in https://tools.ietf.org/html/rfc7518.
SignatureAlgorithmPS384 - RSASSA-PSS using SHA-384 and MGF1 with SHA-384, as described in https://tools.ietf.org/html/rfc7518.
SignatureAlgorithmPS512 - RSASSA-PSS using SHA-512 and MGF1 with SHA-512, as described in https://tools.ietf.org/html/rfc7518.
SignatureAlgorithmRS256 - RSASSA-PKCS1-v1_5 using SHA-256, as described in https://tools.ietf.org/html/rfc7518.
SignatureAlgorithmRS384 - RSASSA-PKCS1-v1_5 using SHA-384, as described in https://tools.ietf.org/html/rfc7518.
SignatureAlgorithmRS512 - RSASSA-PKCS1-v1_5 using SHA-512, as described in https://tools.ietf.org/html/rfc7518.

# Structs

BackupKeyOptions contains the optional parameters for the Client.BackupKey method.
BackupKeyResponse contains the response from method Client.BackupKey.
BackupKeyResult - The backup key result, containing the backup blob.
Client - The key vault client performs cryptographic key operations and vault operations against the Key Vault service.
ClientOptions contains optional settings for Client.
CreateKeyOptions contains the optional parameters for the Client.CreateKey method.
CreateKeyParameters - The key create parameters.
CreateKeyResponse contains the response from method Client.CreateKey.
DecryptOptions contains the optional parameters for the Client.Decrypt method.
DecryptResponse contains the response from method Client.Decrypt.
DeletedKey - A DeletedKey consisting of a WebKey plus its Attributes and deletion info.
DeletedKeyProperties - The deleted key item containing the deleted key metadata and information about deletion.
DeletedKeyPropertiesListResult - A list of keys that have been deleted in this vault.
DeleteKeyOptions contains the optional parameters for the Client.DeleteKey method.
DeleteKeyResponse contains the response from method Client.DeleteKey.
EncryptOptions contains the optional parameters for the Client.Encrypt method.
EncryptResponse contains the response from method Client.Encrypt.
GetDeletedKeyOptions contains the optional parameters for the Client.GetDeletedKey method.
GetDeletedKeyResponse contains the response from method Client.GetDeletedKey.
GetKeyOptions contains the optional parameters for the Client.GetKey method.
GetKeyResponse contains the response from method Client.GetKey.
GetKeyRotationPolicyOptions contains the optional parameters for the Client.GetKeyRotationPolicy method.
GetKeyRotationPolicyResponse contains the response from method Client.GetKeyRotationPolicy.
GetRandomBytesOptions contains the optional parameters for the Client.GetRandomBytes method.
GetRandomBytesParameters - The get random bytes request object.
GetRandomBytesResponse contains the response from method Client.GetRandomBytes.
ImportKeyOptions contains the optional parameters for the Client.ImportKey method.
ImportKeyParameters - The key import parameters.
ImportKeyResponse contains the response from method Client.ImportKey.
JSONWebKey - As of http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18.
KeyAttributes - The attributes of a key managed by the key vault service.
KeyBundle - A KeyBundle consisting of a WebKey plus its attributes.
KeyOperationParameters - The key operations parameters.
KeyOperationResult - The key operation result.
KeyProperties - The key item containing key metadata.
KeyPropertiesListResult - The key list result.
KeyReleasePolicy - The policy rules under which the key can be exported.
KeyReleaseResult - The release result, containing the released key.
KeyRotationPolicy - Management policy for a key.
KeyRotationPolicyAttributes - The key rotation policy attributes.
KeyVerifyResult - The key verify result.
LifetimeAction - Action and its trigger that will be performed by Key Vault over the lifetime of a key.
LifetimeActionTrigger - A condition to be satisfied for an action to be executed.
LifetimeActionType - The action that will be executed.
ListDeletedKeyPropertiesOptions contains the optional parameters for the Client.NewListDeletedKeyPropertiesPager method.
ListDeletedKeyPropertiesResponse contains the response from method Client.NewListDeletedKeyPropertiesPager.
ListKeyPropertiesOptions contains the optional parameters for the Client.NewListKeyPropertiesPager method.
ListKeyPropertiesResponse contains the response from method Client.NewListKeyPropertiesPager.
ListKeyPropertiesVersionsOptions contains the optional parameters for the Client.NewListKeyPropertiesVersionsPager method.
ListKeyPropertiesVersionsResponse contains the response from method Client.NewListKeyPropertiesVersionsPager.
PurgeDeletedKeyOptions contains the optional parameters for the Client.PurgeDeletedKey method.
PurgeDeletedKeyResponse contains the response from method Client.PurgeDeletedKey.
RandomBytes - The get random bytes response object containing the bytes.
RecoverDeletedKeyOptions contains the optional parameters for the Client.RecoverDeletedKey method.
RecoverDeletedKeyResponse contains the response from method Client.RecoverDeletedKey.
ReleaseOptions contains the optional parameters for the Client.Release method.
ReleaseParameters - The release key parameters.
ReleaseResponse contains the response from method Client.Release.
RestoreKeyOptions contains the optional parameters for the Client.RestoreKey method.
RestoreKeyParameters - The key restore parameters.
RestoreKeyResponse contains the response from method Client.RestoreKey.
RotateKeyOptions contains the optional parameters for the Client.RotateKey method.
RotateKeyResponse contains the response from method Client.RotateKey.
SignOptions contains the optional parameters for the Client.Sign method.
SignParameters - The key operations parameters.
SignResponse contains the response from method Client.Sign.
UnwrapKeyOptions contains the optional parameters for the Client.UnwrapKey method.
UnwrapKeyResponse contains the response from method Client.UnwrapKey.
UpdateKeyOptions contains the optional parameters for the Client.UpdateKey method.
UpdateKeyParameters - The key update parameters.
UpdateKeyResponse contains the response from method Client.UpdateKey.
UpdateKeyRotationPolicyOptions contains the optional parameters for the Client.UpdateKeyRotationPolicy method.
UpdateKeyRotationPolicyResponse contains the response from method Client.UpdateKeyRotationPolicy.
VerifyOptions contains the optional parameters for the Client.Verify method.
VerifyParameters - The key verify parameters.
VerifyResponse contains the response from method Client.Verify.
WrapKeyOptions contains the optional parameters for the Client.WrapKey method.
WrapKeyResponse contains the response from method Client.WrapKey.

# Type aliases

CurveName - Elliptic curve name.
EncryptionAlgorithm - An algorithm used for encryption and decryption.
ID is a key's unique ID, containing its version, if any, and name.
KeyEncryptionAlgorithm - The encryption algorithm to use to protected the exported key material.
KeyOperation - JSON web key operations.
KeyRotationPolicyAction - The type of the action.
KeyType - JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40.
SignatureAlgorithm - The signing/verification algorithm identifier.