# Getting secrets from Key Vault

You can use `DefaultAzureCredential` to easily authenticate in both development and production environments without changing code. This credential type detects common production environment configurations and, failing to find any, detects common developer credentials like those from the [Azure CLI](https://aka.ms/azure-cli) or [Visual Studio](https://www.visualstudio.com).

## Creating the SecretClient

To create a `SecretClient`, you'll need to know the URI to your Key Vault. This may appear as "DNS Name" in the [Azure Portal](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults). Replace "heathskv2.vault.azure.net" with your vault URI.

In [13]:
#r "nuget:Azure.Identity"
#r "nuget:Azure.Security.KeyVault.Secrets"

#pragma warning disable CS1701

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

Uri vaultUri = new Uri("https://heathskv2.vault.azure.net");
DefaultAzureCredential credential = new DefaultAzureCredential();
SecretClient client = new SecretClient(vaultUri, credential);

You'll need to authenticate. You can do this easily using the CLI:

In [15]:
#!pwsh
az login

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code FWD79QV52 to authenticate.
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "96be4b7a-defb-4dc2-a31f-49ee6145d5ab",
    "id": "c649122d-c5c8-40b0-b95c-e09da8dbfdf0",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Windows Azure MSDN - Visual Studio Ultimate",
    "state": "Enabled",
    "tenantId": "96be4b7a-defb-4dc2-a31f-49ee6145d5ab",
    "user": {
      "name": "heaths@outlook.com",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "96be4b7a-defb-4dc2-a31f-49ee6145d5ab",
    "id": "22f692c2-e192-4019-b0f8-884cefc0f1a1",
    "isDefault": false,
    "managedByTenants": [],
    "name": "Visual Studio Enterprise",
    "state": "Enabled",
    "tenantId": "96be4b7a-defb-4dc2-a31f-49ee6145d5ab",
    "user": {
      "name": "heaths@outlook.com",
      "type": "user"
    }
  }
]


## Enumerating secrets

When you enumerate secrets, the secret value is not retrieved. This is because the "list" permission for enumerating secrets can be assigned separately from the "get" permission for getting secrets. Instead, a `SecretProperties` object is returned which provides the name and other information.

Given the name, you can retrieve the secret value:

In [16]:
#pragma warning disable CS1701

await foreach (SecretProperties properties in client.GetPropertiesOfSecretsAsync())
{
    KeyVaultSecret secret = await client.GetSecretAsync(properties.Name);
    Console.WriteLine(secret.Value);
}

secret-value
