How to get all secrets in one call Azure key vault

Question

I am using sample code explain here

https://github.com/Azure-Samples/app-service-msi-keyvault-dotnet

but they only explained how can we get single secrete not list of secrete.

so to get all secrete I'm using this code sample

var all = kv.GetSecretsAsync(url).GetAwaiter().GetResult();
foreach (var secret in all)
{
    secretlist.Add(secret.Id);
}

but it is only getting the secret id, not value. I want to get all secrets value also so can anyone help how I can do this?

Answer 1

We can find all keys like this

string keyVaultName = "keyvault-name";
string keyVaultUri = $"https://{keyVaultName}.vault.azure.net/";
var keyVaultClient = new SecretClient(new Uri(keyVaultUri), new DefaultAzureCredential());
var secrets = keyVaultClient.GetPropertiesOfSecrets().AsPages().SelectMany(sm => sm.Values.Select(s => s.Name)).ToList();

Answer 2

using Azure.Identity;

using Azure.Security.KeyVault.Secrets;

namespace key_vault_console_app

{
    class Program
    {
        public static void Main()
        {
            var kvUri = $"https://{your keyvault name}.vault.azure.net";
            var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
            var vishwa = client.GetPropertiesOfSecrets().AsPages().ToList();

            foreach (var kv in vishwa)
            {
                for (int i = 0; i < kv.Values.Count; i++)
                {
                    Console.WriteLine($"Secret Name: {kv.Values[i].Name.ToString()}  ===> Secret Value:  {client.GetSecret(kv.Values[i].Name.ToString(), null).Value.Value}");
                }
            }
        }
    }
}

Answer 3

We can find all keys like this

var secretClient = new SecretClient(new Uri($"https://{AzureKeyVaultName}.vault.azure.net/"), new DefaultAzureCredential());
var v = secretClient.GetPropertiesOfSecrets().AsPages().ToList();

Answer 4

If you are using the newer Azure.Security.KeyVault.Secrets package then you can get all the secrets by using the GetPropertiesOfSecretsAsync method, then iterating over each result calling GetSecretAsync. Obviously this is still SELECT N+1 but there currently appears to still be no other way to do this.

Note that you will need to be using C# 8.0 to use this example:

private SecretClient _client;

// ... setup your client, for example:

_client = new SecretClient("https://mykeyvault.vault.azure.net/", new DefaultAzureCredential());
        
// ...
        
public async Task<IList<KeyVaultSecret>> GetAllAsync(CancellationToken cancellationToken = default)
{
    AsyncPageable<SecretProperties> secretProperties = _client.GetPropertiesOfSecretsAsync(cancellationToken);

    var secrets = new List<KeyVaultSecret>();

    await foreach (var secretProperty in secretProperties)
    {
        var response = await _client.GetSecretAsync(secretProperty.Name, cancellationToken: cancellationToken).ConfigureAwait(false);
        
        secrets.Add(response.Value);
    }

    return secrets;
}

Answer 5

You can use listPropertiesOfSecrets method which returns all keys. This way you can iterate and get all secrets from vault.

Answer 6

You have to get all secrets, returning an IPage of SecretItem, and then iterate through each one to get the SecretBundle like this. Here's my code that handles the operation:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using Microsoft.Azure.KeyVault;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using Newtonsoft.Json;

namespace TradingReplay.Engine
{
    public class SecurityCredentials : Serialisable<SecurityCredentials, SecurityCredentials>
    {
        public string VaultUrl { get; set; }
        public string ApplicationId {get; set;}
        private string ApplicationSecret { get; set; }
        internal Dictionary<string, string> Cache { get; set; } = new Dictionary<string, string>();

        public SecurityCredentials()
        { }

        public SecurityCredentials(string vaultUrl, string applicationId, string applicationSecret)
        {
            VaultUrl = vaultUrl;
            ApplicationId = applicationId;
            ApplicationSecret = applicationSecret;
        }

        public async Task<SecurityCredentials> InitialiseAzure()
        {
            var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient());
            var secrets = await client.GetSecretsAsync(VaultUrl);

            foreach (var item in secrets)
                Cache.Add(item.Identifier.Name, await GetSecretAsync(client, item.Identifier.Name));

            return this;
        }

        public async Task<string> GetSecretAsync(string key)
        {
            if (Cache.TryGetValue(key, out var value))
                return value;
            else
            {
                var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient());
                var secret = await GetSecretAsync(client, key);
                Cache.Add(key, secret);
                return secret;
            }
        }

        public async Task<string> GetSecretAsync(KeyVaultClient client, string key)
        {
            var secret = await client.GetSecretAsync(VaultUrl, key);
            return secret.Value;
        }

        private async Task<string> GetAccessTokenAsync(string authority, string resource, string scope)
        {
            var appCredentials = new ClientCredential(ApplicationId, ApplicationSecret);
            var context = new AuthenticationContext(authority, TokenCache.DefaultShared);

            var result = await context.AcquireTokenAsync(resource, appCredentials);

            return result.AccessToken;
        }
    }
}

For testing purposes I have registered an application to access my Azure instances, and to initialize the class all I do is:

var credentials = await new SecurityCredentials("<vaultUrl>", "<applicationId>", "<applicationSecret>").InitialiseAzure();

and then can call:

credentials["<secretName>"];

Answer 7

Looking at the documentation, the KeyVaultClient Class doesn't contain a method to get all secrets including their values. The GetSecrets method 'List secrets in a specified key vault.' and returns a list with items of type SecretItem, which doesn't contain the value but only contains secret metadata.

This is in line with the Key Vault REST API, where there's a GetSecrets that returns... you guessed it... a list of SecretItems.

Long story short: if you want all values of all secrets, you have to iterate the list and get every one explicitly.