Skills azure-keyvault-secrets-ts
📦

azure-keyvault-secrets-ts

Safe 🌐 Network access🔑 Env variables

Manage Azure Key Vault secrets securely

Storing application secrets in code creates security risks. This skill enables secure secret management using Azure Key Vault with proper authentication and encryption.

Supports: Claude Codex Code(CC)
🥉 72 Bronze
1

Download the skill ZIP

2

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

3

Toggle on and start using

Test it

Using "azure-keyvault-secrets-ts". Get the secret 'MySecret' from Key Vault

Expected outcome:

Secret retrieved successfully: MySecret (version: a1b2c3d4). Value length: 32 characters. Content type: application/json. Expires: 2025-12-31.

Using "azure-keyvault-secrets-ts". List all secrets in the vault

Expected outcome:

Found 5 secrets: DatabaseConnectionString, ApiKey, JwtSigningKey, SmtpPassword, StorageAccountKey. All secrets are enabled. 2 secrets expire within 30 days.

Using "azure-keyvault-secrets-ts". Rotate the key 'EncryptionKey' manually

Expected outcome:

Key rotated successfully: EncryptionKey. New version: e5f6g7h8. Key type: RSA. Key size: 2048 bits. Rotation completed at 2026-02-25T00:22:36Z.

Security Audit

Safe
v1 • 2/25/2026

All static analysis findings are false positives. The scanner incorrectly flagged markdown documentation code blocks as executable code. The skill uses Azure SDK patterns correctly with DefaultAzureCredential, environment-based configuration, and industry-standard cryptographic algorithms (RSA-OAEP, RS256, P-256). No malicious patterns detected.

1
Files scanned
275
Lines analyzed
2
findings
1
Total audits

Risk Factors

🌐 Network access (2)
SKILL.md:23 SKILL.md:35
🔑 Env variables (1)
SKILL.md:35
Audited by: claude

Quality Score

38
Architecture
100
Maintainability
87
Content
30
Community
100
Security
100
Spec Compliance

What You Can Build

Secure Application Configuration

Store database connection strings, API keys, and service credentials in Key Vault instead of environment variables or config files.

Cryptographic Key Management

Generate and manage RSA or elliptic curve keys for encryption and digital signatures with automatic rotation policies.

Secrets Rotation Automation

Implement automated secret rotation with expiration dates and access policies to reduce credential exposure risk.

Try These Prompts

Get a secret from Key Vault 
Retrieve the secret named 'DatabaseConnectionString' from Azure Key Vault and log its value.
Store a new secret with attributes 
Create a new secret called 'ApiKey' with the value 'xyz123', set it to enabled, add a contentType of 'text/plain', and tag it with environment=production.
Encrypt and decrypt data with Key Vault 
Use the CryptographyClient to encrypt a message with RSA-OAEP algorithm, then decrypt it and verify the original content is preserved.
Implement key rotation with policy 
Create an RSA key with 2048-bit size, configure a rotation policy to auto-rotate every 90 days with a 30-day pre-expiry action, and set up monitoring for rotation events.

Best Practices

  • Use DefaultAzureCredential for seamless authentication across development and production environments
  • Enable soft-delete on production vaults to allow secret recovery within the retention period
  • Set expiration dates on secrets and configure automatic rotation policies for cryptographic keys

Avoid

  • Never hardcode secret values in source code or commit them to version control
  • Avoid using master keys or root credentials - implement least-privilege access with specific key operations
  • Do not disable soft-delete in production environments as it prevents recovery from accidental deletion

Frequently Asked Questions

What Azure permissions are required to use this skill?
You need Key Vault Secrets User role for secret operations, or Key Vault Crypto User for key operations. For management tasks like creating vaults, Key Vault Administrator role is required.
Can I use this skill in browser-based applications?
No, the @azure/keyvault-secrets and @azure/keyvault-keys SDKs are designed for Node.js environments only. Browser applications should use Azure Key Vault Managed HSM with appropriate client-side libraries.
How do I authenticate locally versus in Azure?
DefaultAzureCredential automatically handles both: it uses your Azure CLI login for local development and managed identities when running in Azure (App Service, Functions, VMs).
What happens when a secret expires?
Expired secrets remain accessible by default unless the vault has expiration policies enforced. The enabled attribute controls whether a secret can be used - set enabled:false to disable before expiration.
Can I restore a deleted secret to a different vault?
Yes, backup and restore operations are portable across vaults. Backup creates an encrypted blob that can be restored to any vault you have access to, including in different subscriptions.
How are soft-delete and purge protection different?
Soft-delete moves deleted items to a recoverable state for 7-90 days. Purge protection prevents permanent deletion during the soft-delete retention period, protecting against malicious insiders.

Developer Details

Author

sickn33

License

MIT

Repository

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/azure-keyvault-secrets-ts

Ref

main

File structure

📄 SKILL.md