Microsoft Azure logo Quarkus Azure Services Extensions

Quarkus Azure App Configuration Extension

Quarkus Azure Services Extensions are developed and supported by Microsoft as part of their commitment to Open Standard Enterprise Java. For more information, see Jakarta EE on Azure.

Azure App Configuration is a fast, scalable parameter storage for app configuration. This extension allows to inject a io.smallrye.config.SmallRyeConfig object inside your Quarkus application so you can access the app configuration stored in Azure.

Installation

If you want to use this extension, you need to add the io.quarkiverse.azureservices:quarkus-azure-services extension first to your build file.

For instance, with Maven, add the following dependency to your POM file:

<dependency>
    <groupId>io.quarkiverse.azureservices</groupId>
    <artifactId>quarkus-azure-app-configuration</artifactId>
    <version>1.0.4</version>
</dependency>

How to Use It

Once you have added the extension to your project, follow the next steps, so you can inject io.smallrye.config.SmallRyeConfig object in your application to store and read blobs.

Setup your Azure Environment

First thing first. For this sample to work, you need to have an Azure account as well as Azure CLI installed. The Azure CLI is available to install in Windows, macOS and Linux environments. Checkout the installation guide. Then, you need an Azure subscription and log into it by using the az login command. You can run az version to find the version and az upgrade to upgrade to the latest version.

Create an Azure resource group with the az group create command. A resource group is a logical container into which Azure resources are deployed and managed.

az group create \
    --name rg-quarkus-azure-app-configuration \
    --location eastus

Create an Azure App Configuration store with the following command:

az appconfig create \
    --name appcs-quarkus-azure-app-configuration \
    --resource-group rg-quarkus-azure-app-configuration \
    --location eastus

Then create some key-value properties with the following commands:

az appconfig kv set --name appcs-quarkus-azure-app-configuration --yes --key myKeyOne --value "Value 1"
az appconfig kv set --name appcs-quarkus-azure-app-configuration --yes --key myKeyTwo --value "Value 2"

You can list the key-value properties with the following command:

az appconfig kv list --name appcs-quarkus-azure-app-configuration

If you log into the Azure portal, you can see the resource group and the key-value you created.

Azure Portal showing the app configuration

Configure the Azure App Configuration Client

As you can see below in the Configuration Reference section, this extension has several configuration options. To be able to connect to the Azure App Configuration that we’ve just created, you must get the URL of the endpoing, it’s id and secret. For that, execute the following Azure CLI command:

az appconfig credential list --name appcs-quarkus-azure-app-configuration

You’ll get the following output:

{
  "connectionString": "Endpoint=https://appcs-quarkus-azure-app-configuration.azconfig.io;Id=xxxxxx;Secret=xxxxxx",
  "id": "xxxxxx",
  "name": "Primary",
  "readOnly": false,
  "value": "xxxxxx"
}

Then, in the application.properties file, add the following property according to the output of the previous command:

quarkus.azure.app.configuration.endpoint=https://appcs-quarkus-azure-app-configuration.azconfig.io
quarkus.azure.app.configuration.id=xxxxxx
quarkus.azure.app.configuration.secret=xxxxxx

Inject the SmallRyeConfig

Now that your Azure environment is ready and that you have configured the extension, you can inject the SmallRyeConfig object in your application, so you can interact with Azure App Configuration.

@Path("/config")
@Produces(MediaType.APPLICATION_JSON)
public class ConfigResource {

  @Inject
  SmallRyeConfig config;

  @GET
  @Path("/{name}")
  public Response configValue(@PathParam("name") final String name) {
      return Response.ok(config.getConfigValue(name)).build();
  }
}

To execute this sample you can run the following cURL commands:

  • curl -X GET localhost:8080/config/myKeyOne

  • curl -X GET localhost:8080/config/myKeyTwo

Extension Configuration Reference

Configuration property fixed at build time - All other configuration properties are overridable at runtime

Configuration property

Type

Default

The flag to enable the app configuration. If set to false, the app configuration will be disabled

Environment variable: QUARKUS_AZURE_APP_CONFIGURATION_ENABLED

boolean

true

The endpoint of the app configuration. Required if quarkus.azure.app.configuration.enabled is set to true

Environment variable: QUARKUS_AZURE_APP_CONFIGURATION_ENDPOINT

string

The id of the app configuration. Required if quarkus.azure.app.configuration.enabled is set to true

Environment variable: QUARKUS_AZURE_APP_CONFIGURATION_ID

string

The secret of the app configuration. Required if quarkus.azure.app.configuration.enabled is set to true

Environment variable: QUARKUS_AZURE_APP_CONFIGURATION_SECRET

string

The label filter of the app configuration. Use comma as separator for multiple label names

Environment variable: QUARKUS_AZURE_APP_CONFIGURATION_LABELS

string

Quarkus Azure Key Vault Extension

Quarkus Azure Services Extensions are developed and supported by Microsoft as part of their commitment to Open Standard Enterprise Java. For more information, see Jakarta EE on Azure.

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. This extension allows you to create and retrieve secret from Azure Key Vault by injecting the following object inside your Quarkus application.

  • com.azure.security.keyvault.secrets.SecretClient

  • com.azure.security.keyvault.secrets.SecretAsyncClient

The extension produces SecretClient and SecretAsyncClient using DefaultAzureCredential. Developers who want more control or whose scenario isn’t served by the default settings should build client using other credential types.

Installation

If you want to use this extension, you need to add the io.quarkiverse.azureservices:quarkus-azure-services extension first to your build file.

For instance, with Maven, add the following dependency to your POM file:

<dependency>
    <groupId>io.quarkiverse.azureservices</groupId>
    <artifactId>quarkus-azure-keyvault</artifactId>
    <version>1.0.4</version>
</dependency>

How to Use It

Once you have added the extension to your project, follow the next steps, so you can inject com.azure.security.keyvault.secrets.SecretClient or com.azure.security.keyvault.secrets.SecretAsyncClient object in your application to manage secret.

Setup your Azure Environment

First thing first. For this sample to work, you need to have an Azure account as well as Azure CLI installed. The Azure CLI is available to install in Windows, macOS and Linux environments. Checkout the installation guide. Then, you need an Azure subscription and log into it by using the az login command. You can run az version to find the version and az upgrade to upgrade to the latest version.

Create an Azure resource group with the az group create command. A resource group is a logical container into which Azure resources are deployed and managed.

az group create \
    --name rg-quarkus-azure-keyvault \
    --location eastus

Create a general-purpose key vault with the following command:

az keyvault create --name kvquarkusazurekv0423 \
    --resource-group rg-quarkus-azure-keyvault \
    --location eastus

Key Vault provides secure storage of generic secrets, such as passwords and database connection strings. All secrets in your key vault are stored encrypted. The Azure Key Vault service encrypts your secrets when you add them, and decrypts them automatically when you read them.

Access Control for secrets managed in Key Vault, is provided at the level of the Key Vault. The following command uses your Microsoft Entra ID to authorize the operation to manage secret. Even if you are the key vault owner, you need explicit permissions to perform operations against secret.

Assign all secret permissions(backup, delete, get, list, purge, recover, restore, set) to yourself:

az ad signed-in-user show --query id -o tsv \
    | az keyvault set-policy \
    --name kvquarkusazurekv0423 \
    --object-id @- \
    --secret-permissions all

If you log into the Azure portal, you can see the key vault you created. Select ObjectsSecrets, you will find the Secrets page.

Azure Portal showing Key Vault Secrets

Configure the Azure Key Vault Secret Client

As you can see below in the Configuration Reference section, the configuration option quarkus.azure.keyvault.secret.endpoint is mandatory. To get the endpoint, execute the following Azure CLI command:

az keyvault show --name kvquarkusazurekv0423 \
    --resource-group rg-quarkus-azure-keyvault \
    --query properties.vaultUri \
    --output tsv

Then, in the application.properties file, add the following property:

quarkus.azure.keyvault.secret.endpoint=https://kvquarkusazurekv0423.vault.azure.net/

Inject the Azure Key Vault Secret Client

Now that your Azure environment is ready and that you have configured the extension, you can inject the com.azure.security.keyvault.secrets.SecretClient object in your application, so you can interact with Azure Key Vault Secret.

This is a Quarkus CLI application. The application will:

  • Ask for a secret value.

  • Create a secret with name mySecret and set its value.

  • Retrieve and print the secret value.

  • Delete the secret.

You can build and run the application in development mode using command:

quarkus dev
@QuarkusMain
public class KeyVaultSecretApplication implements QuarkusApplication {

    @Inject
    SecretClient secretClient;

    @Override
    public int run(String... args) throws Exception {

        Console con = System.console();

        String secretName = "mySecret";
        System.out.println("Create secret: " + secretName);

        System.out.println("Please provide the value of your secret > ");

        String secretValue = con.readLine();

        System.out.println("Creating a secret called '" + secretName + "' with value '" + secretValue + "' ... ");

        secretClient.setSecret(new KeyVaultSecret(secretName, secretValue));

        System.out.println("Retrieving your secret...");

        KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);

        System.out.println("Your secret's value is '" + retrievedSecret.getValue() + "'.");
        System.out.println("Deleting your secret ... ");

        SyncPoller<DeletedSecret, Void> deletionPoller = secretClient.beginDeleteSecret(secretName);
        deletionPoller.waitForCompletion();

        System.out.println("done.");
        return 0;
    }
}

After running the application, if you log into the Azure portal, you can see the key vault and the secret you created. As the secret is deleted, you will find the secret from ObjectsSecretsManage deleted secrets.

Azure Portal showing the deleted secrets

You can also inject com.azure.security.keyvault.secrets.SecretAsyncClient object to your application. For more usage, see com.azure.security.keyvault.secrets.secretasyncclient.

Extension Configuration Reference

Configuration property fixed at build time - All other configuration properties are overridable at runtime

Configuration property

Type

Default

The flag to enable the key vault secret. If set to false, the key vault secret will be disabled

Environment variable: QUARKUS_AZURE_KEYVAULT_SECRET_ENABLED

boolean

true

The endpoint of Azure Key Vault Secret. Required if quarkus.azure.keyvault.secret.enabled is set to true

Environment variable: QUARKUS_AZURE_KEYVAULT_SECRET_ENDPOINT

string

Quarkus Azure Blob Storage Extension

Quarkus Azure Services Extensions are developed and supported by Microsoft as part of their commitment to Open Standard Enterprise Java. For more information, see Jakarta EE on Azure.

Azure Blob Storage is a massively scalable and secure object storage for cloud-native workloads, archives, data lakes, high-performance computing, and machine learning. This extension allows you to store and retrieve blobs from Azure Blob Storage by injecting a com.azure.storage.blob.BlobServiceClient or com.azure.storage.blob.BlobServiceAsyncClient object inside your Quarkus application.

This is a step by step guide on how to use the Quarkus Azure Blob Storage extension. If you’re looking for a complete code sample, you can find it in the Azure Blob Storage sample.

Installation

If you want to use this extension, you need to add the io.quarkiverse.azureservices:quarkus-azure-services extension first to your build file.

For instance, with Maven, add the following dependency to your POM file:

<dependency>
    <groupId>io.quarkiverse.azureservices</groupId>
    <artifactId>quarkus-azure-storage-blob</artifactId>
    <version>1.0.4</version>
</dependency>

How to Use It

Once you have added the extension to your project, follow the next steps, so you can inject com.azure.storage.blob.BlobServiceClient or com.azure.storage.blob.BlobServiceAsyncClient object in your application to store and read blobs.

Setup your Azure Environment

First thing first. For this sample to work, you need to have an Azure account as well as Azure CLI installed. The Azure CLI is available to install in Windows, macOS and Linux environments. Checkout the installation guide. Then, you need an Azure subscription and log into it by using the az login command. You can run az version to find the version and az upgrade to upgrade to the latest version.

Create an Azure resource group with the az group create command. A resource group is a logical container into which Azure resources are deployed and managed.

az group create \
    --name rg-quarkus-azure-storage-blob \
    --location eastus

Create a general-purpose storage account with the following command:

az storage account create \
    --name stquarkusazurestorageblo \
    --resource-group rg-quarkus-azure-storage-blob \
    --location eastus \
    --sku Standard_ZRS \
    --encryption-services blob

If you log into the Azure portal, you can see the resource group and the storage account you created.

Azure Portal showing the Azure storage account

Blobs are always uploaded into a container. You can organize groups of blobs in containers similar to the way you organize your files on your computer in folders. This guide will use the Azure Storage Blob client to create the container if it doesn’t exist. Alternatively, follow instructions in Create a container if you want to create a container before uploading blobs.

Configure the Azure Storage Blob Client

As you can see below in the Configuration Reference section, this extension has several configuration options. But one of them is mandatory, and that is the quarkus.azure.storage.blob.connection-string. To get the connection string, execute the following Azure CLI command:

az storage account show-connection-string \
    --resource-group rg-quarkus-azure-storage-blob \
    --name stquarkusazurestorageblo \
    --output tsv

Then, in the application.properties file, add the following property:

quarkus.azure.storage.blob.connection-string=DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=stquarkusazurestorageblo;AccountKey=xxxxxxx==;BlobEndpoint=https://stquarkusazurestorageblo.blob.core.windows.net/;FileEndpoint=https://stquarkusazurestorageblo.file.core.windows.net/;QueueEndpoint=https://stquarkusazurestorageblo.queue.core.windows.net/;TableEndpoint=https://stquarkusazurestorageblo.table.core.windows.net/

Inject the Azure Storage Blob Client

Now that your Azure environment is ready and that you have configured the extension, you can inject the com.azure.storage.blob.BlobServiceClient object in your imperative application or inject the com.azure.storage.blob.BlobServiceAsyncClient object in your reactive application, so you can interact with Azure Blob Storage.

Use the BlobServiceClient in an imperative application

The uploadBlob method first creates the container container-quarkus-azure-storage-blob, sets some text to a text file, and then uploads the text to the container. The downloadBlob method downloads the text file from the container and prints the text to the console.

To execute this sample you can run the following cURL commands:

  • curl -X POST localhost:8080/quarkus-azure-storage-blob

  • curl localhost:8080/quarkus-azure-storage-blob

@Path("/quarkus-azure-storage-blob")
@ApplicationScoped
public class StorageBlobResource {

    @Inject
    BlobServiceClient blobServiceClient;

    @POST
    public Response uploadBlob() {
        BlobContainerClient blobContainerClient = blobServiceClient
                .createBlobContainerIfNotExists("container-quarkus-azure-storage-blob");
        BlobClient blobClient = blobContainerClient.getBlobClient("quarkus-azure-storage-blob.txt");
        blobClient.upload(BinaryData.fromString("Hello quarkus-azure-storage-blob at " + LocalDateTime.now()), true);

        return Response.status(CREATED).build();
    }

    @GET
    public String downloadBlob() {
        BlobContainerClient blobContainerClient = blobServiceClient
                .getBlobContainerClient("container-quarkus-azure-storage-blob");
        BlobClient blobClient = blobContainerClient.getBlobClient("quarkus-azure-storage-blob.txt");

        return blobClient.downloadContent().toString();
    }
}

You can go back to the Azure portal and see the container container-quarkus-azure-storage-blob and the blob quarkus-azure-storage-blob.txt that you’ve created.

Azure Portal showing the content of the file uploaded with the BlobServiceClient object
Use the BlobServiceAsyncClient in a reactive application

Similarly, the uploadBlob method first creates the container container-quarkus-azure-storage-blob-async, sets some text to a text file, and then uploads the text to the container. The downloadBlob method downloads the text file from the container and prints the text to the console.

To execute this sample you can run the following cURL commands:

  • curl -X POST localhost:8080/quarkus-azure-storage-blob-async

  • curl localhost:8080/quarkus-azure-storage-blob-async

@Path("/quarkus-azure-storage-blob-async")
@ApplicationScoped
public class StorageBlobAsyncResource {

    @Inject
    BlobServiceAsyncClient blobServiceAsyncClient;

    @POST
    public Uni<Response> uploadBlob() {
        Mono<BlockBlobItem> blockBlobItem = blobServiceAsyncClient
                .createBlobContainerIfNotExists("container-quarkus-azure-storage-blob-async")
                .map(it -> it.getBlobAsyncClient("quarkus-azure-storage-blob-async.txt"))
                .flatMap(it -> it.upload(BinaryData.fromString("Hello quarkus-azure-storage-blob-async at " + LocalDateTime.now()), true));

        return Uni.createFrom().completionStage(blockBlobItem.toFuture()).map(it -> Response.status(CREATED).build());
    }

    @GET
    public Uni<Response> downloadBlob() {
        BlobAsyncClient blobAsyncClient = blobServiceAsyncClient.getBlobContainerAsyncClient("container-quarkus-azure-storage-blob-async")
                .getBlobAsyncClient("quarkus-azure-storage-blob-async.txt");

        return Uni.createFrom()
                .completionStage(blobAsyncClient.downloadContent().map(it -> Response.ok().entity(it.toString()).build())
                        .toFuture());
    }
}

You can also go back to the Azure portal and see the container container-quarkus-azure-storage-blob-async and the blob quarkus-azure-storage-blob-async.txt that you’ve created.

Azure Portal showing the content of the file uploaded with the BlobServiceAsyncClient object

Extension Configuration Reference

Configuration property fixed at build time - All other configuration properties are overridable at runtime

Configuration property

Type

Default

Whether a health check is published in case the smallrye-health extension is present.

Environment variable: QUARKUS_AZURE_STORAGE_BLOB_HEALTH_ENABLED

boolean

true

If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present.

When DevServices is enabled Quarkus will attempt to automatically configure and start an azurite instance when running in Dev or Test mode and when Docker is running.

Environment variable: QUARKUS_AZURE_STORAGE_BLOB_DEVSERVICES_ENABLED

boolean

true

The container image name to use, for container based DevServices providers.

Environment variable: QUARKUS_AZURE_STORAGE_BLOB_DEVSERVICES_IMAGE_NAME

string

mcr.microsoft.com/azure-storage/azurite:3.28.0

Optional fixed port the Dev services will listen to.

If not defined, the port will be chosen randomly.

Environment variable: QUARKUS_AZURE_STORAGE_BLOB_DEVSERVICES_PORT

int

Indicates if the azurite instance managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Azure Storage Blob starts a new container.

The discovery uses the quarkus-dev-service-azure-storage-blob label. The value is configured using the service-name property.

Container sharing is only used in dev mode.

Environment variable: QUARKUS_AZURE_STORAGE_BLOB_DEVSERVICES_SHARED

boolean

true

The value of the quarkus-dev-service-azure-storage-blob label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for Azure Storage Blob looks for a container with the quarkus-dev-service-azure-storage-blob label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise it starts a new container with the quarkus-dev-service-azure-storage-blob label set to the specified value.

This property is used when you need multiple shared azurite instances.

Environment variable: QUARKUS_AZURE_STORAGE_BLOB_DEVSERVICES_SERVICE_NAME

string

default-storage-blob

The flag to enable the storage blob. If set to false, the storage blob will be disabled

Environment variable: QUARKUS_AZURE_STORAGE_BLOB_ENABLED

boolean

true

The connection string of Azure Storage Account. Required if quarkus.azure.storage.blob.enabled is set to true

Environment variable: QUARKUS_AZURE_STORAGE_BLOB_CONNECTION_STRING

string