Joseph Guadagno

Microsoft Developer Services MVP, VP of IT at RT², .NET Foundation Board of Directors (President), Organizer of Desert Code Camp

3 minute read

When you use the Azure Key Vault SDK, you can create, read, update, and delete secrets. In this post, you will learn how to update a secret and its properties using the Azure Key Vault SDK.

I was working on the JosephGuadagno.NET Broadcasting application this weekend and wanted to create a feature that would automatically refresh the tokens that are used to authenticate with the various social media platforms. For reasons, these tokens were stored locally in the application settings. I know, bad choice, but when I started this project I really didn’t know Azure Key Vault, so I went with what I knew. I moved these tokens to Azure Key Vault, so now I needed to update the tokens in the Key Vault. However, when use Azure Key Vault SDK to update secrets, it creates an new version of the secret and doesn’t disable the previous secret. Since I am refreshing the token, the old token is no longer valid, so I needed to disable the old secret. At the same time, Azure Key Vaults secrets have an expiration date, so I wanted to update the expiration date of the secret as well. Let’s take a look at how to do this.

This post assumes you have an Azure Key Vault instance and you know how to setup a secret. If you don’t know how to set up a secret, you can follow the steps in the post Securing Azure Function Settings with Azure Key Vault.

The Process

There are a couple of steps to update a secret and its properties to achieve what I wanted to. The steps are:

  1. Establish a connection to the Azure Key Vault and obtain a SecretClient class.
  2. Get the current secret from the vault using the GetSecretAsync method of the SecretClient class.
  3. Call the UpdateSecretPropertiesAsync method of the SecretClient class to disable the secret.
  4. Update / create a new version of the secret using the SetSecretAsync method of the SecretClient class
  5. Call the UpdateSecretPropertiesAsync method of the SecretClient class using the KeyVaultSecret returned from the step 4 to update the expiration date of the secret.

The Code

Here is the code to update a secret and its properties.



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24



public async Task UpdateSecretValueAndProperties(SecretClient client, 
            string secretName, string secretValue, DateTime expiresOn)
{
    // Step 2: Get the current secret
    var originalSecretResponse = await client.GetSecretAsync(secretName);
    var originalSecret = originalSecretResponse.Value;
    
    // Step 3: Disable the old secret
    // Set the old secret to disabled
    originalSecret.Properties.Enabled = false;
    var updatePropertiesResponse = 
        await client.UpdateSecretPropertiesAsync(originalSecret.Properties);
    
    // Step 4: Create a new version of the secret
    // Update secret value (create a new version)
    var newSecretVersionResponse = await client.SetSecretAsync(secretName, secretValue);
    var newKeyVaultSecretVersion = newSecretVersionResponse.Value;
    
    // Step 5: Update the expiration date
    // Update the expiration date
    newKeyVaultSecretVersion.Properties.ExpiresOn = expiresOn;
    updatePropertiesResponse = 
        await client.UpdateSecretPropertiesAsync(newKeyVaultSecretVersion.Properties);
}

The error handling in this code was removed for brevity. You should add error handling to your code. You can find the full code in the jjgnet-broadcasting repository.

Wrap Up

I’m not sure why these steps are necessary to update a secret and its properties. I would think that the SetSecretAsync method would update the secret and its properties with an overloaded method and/or better yet add an option to the SetSecretAsync method to disable the previous version, if one exists. However, it doesn’t. I hope this post helps you if you need to update a secret and its properties in Azure Key Vault.

References

You May Also Enjoy

Working with the LinkedIn API with C#

17 minute read

The last day few days, I have been experimenting with the LinkedIn API to send my blog posts, YouTube videos, and community updates automatically to my Linke...

Coding with JoeG - Reboot

less than 1 minute read

Tomorrow, August 11th, 2023, I will kick off my Coding with JoeG stream again and I’ll be joined by Richard Dudley. We’ll start the stream at 1pm MST/PST, 4p...

LinkedIn has an AI Assisted Editor for Post

1 minute read

With me on the hunt for a new job, at the time of this post being authored, I have been pretty active on LinkedIn. The last day or so, I have been experiment...