az keyvault secret
Manage secrets.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az keyvault secret backup |
Backs up the specified secret. |
Core | GA |
| az keyvault secret delete |
Delete all versions of a secret. |
Core | Deprecated |
| az keyvault secret download |
Download a secret from a KeyVault. |
Core | GA |
| az keyvault secret list |
List secrets in a specified key vault. |
Core | GA |
| az keyvault secret list-deleted |
Lists deleted secrets for the specified vault. |
Core | GA |
| az keyvault secret list-versions |
List all versions of the specified secret. |
Core | GA |
| az keyvault secret purge |
Permanently deletes the specified secret. |
Core | GA |
| az keyvault secret recover |
Recovers the deleted secret to the latest version. |
Core | GA |
| az keyvault secret restore |
Restores a backed up secret to a vault. |
Core | GA |
| az keyvault secret set |
Create a secret (if one doesn't exist) or update a secret in a KeyVault. |
Core | GA |
| az keyvault secret set-attributes |
Updates the attributes associated with a specified secret in a given key vault. |
Core | GA |
| az keyvault secret show |
Get a specified secret from a given key vault. |
Core | GA |
| az keyvault secret show-deleted |
Gets the specified deleted secret. |
Core | GA |
az keyvault secret backup
Backs up the specified secret.
Requests that a backup of the specified secret be downloaded to the client. All versions of the secret will be downloaded. This operation requires the secrets/backup permission.
az keyvault secret backup --file
[--id]
[--name]
[--vault-name]Required Parameters
File to receive the secret contents.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Id of the secret. If specified all other 'Id' arguments should be omitted.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the secret. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the Key Vault. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret delete
Warning! If you have soft-delete protection enabled on this key vault, this secret will be moved to the soft deleted state. You will not be able to create a secret with the same name within this key vault until the secret has been purged from the soft-deleted state. Please see the following documentation for additional guidance. https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview
Delete all versions of a secret.
Requires secrets/delete permission. When this method returns Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.
az keyvault secret delete [--id]
[--name]
[--vault-name]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Id of the secret. If specified all other 'Id' arguments should be omitted.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the secret. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the Key Vault. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret download
Download a secret from a KeyVault.
az keyvault secret download --file
[--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
[--id]
[--name]
[--overwrite]
[--vault-name]
[--version]Required Parameters
File to receive the secret contents.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Encoding of the secret. By default, will look for the 'file-encoding' tag on the secret. Otherwise will assume 'utf-8'.
| Property | Value |
|---|---|
| Accepted values: | ascii, base64, hex, utf-16be, utf-16le, utf-8 |
Id of the secret. If specified all other 'Id' arguments should be omitted.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the secret. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Overwrite the file if it exists.
| Property | Value |
|---|---|
| Default value: | False |
Name of the Key Vault. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
The secret version. If omitted, uses the latest version.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret list
List secrets in a specified key vault.
The Get Secrets operation is applicable to the entire vault. However, only the base secret identifier and its attributes are provided in the response. Individual secret versions are not listed in the response. This operation requires the secrets/list permission.
az keyvault secret list [--id]
[--include-managed {false, true}]
[--maxresults]
[--vault-name]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Full URI of the Vault. If specified all other 'Id' arguments should be omitted.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Include managed secrets. Default: false.
| Property | Value |
|---|---|
| Default value: | False |
| Accepted values: | false, true |
Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
Name of the Key Vault. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret list-deleted
Lists deleted secrets for the specified vault.
The Get Deleted Secrets operation returns the secrets that have been deleted for a vault enabled for soft-delete. This operation requires the secrets/list permission.
az keyvault secret list-deleted [--id]
[--maxresults]
[--vault-name]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Full URI of the Vault. If specified all other 'Id' arguments should be omitted.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
Name of the Key Vault. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret list-versions
List all versions of the specified secret.
The full secret identifier and attributes are provided in the response. No values are returned for the secrets. This operations requires the secrets/list permission.
az keyvault secret list-versions [--id]
[--maxresults]
[--name]
[--vault-name]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Id of the secret. If specified all other 'Id' arguments should be omitted.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
Name of the secret. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the Key Vault. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret purge
Permanently deletes the specified secret.
The purge deleted secret operation removes the secret permanently, without the possibility of recovery. This operation can only be enabled on a soft-delete enabled vault. This operation requires the secrets/purge permission.
az keyvault secret purge [--id]
[--name]
[--vault-name]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The recovery id of the secret. If specified all other 'Id' arguments should be omitted.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the secret. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the Vault. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret recover
Recovers the deleted secret to the latest version.
Recovers the deleted secret in the specified vault. This operation can only be performed on a soft-delete enabled vault. This operation requires the secrets/recover permission.
az keyvault secret recover [--id]
[--name]
[--vault-name]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The recovery id of the secret. If specified all other 'Id' arguments should be omitted.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the secret. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the Vault. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret restore
Restores a backed up secret to a vault.
Restores a backed up secret, and all its versions, to a vault. This operation requires the secrets/restore permission.
az keyvault secret restore --file
--vault-nameRequired Parameters
File to receive the secret contents.
Name of the Vault.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret set
Create a secret (if one doesn't exist) or update a secret in a KeyVault.
az keyvault secret set --name
--vault-name
[--content-type --description]
[--disabled {false, true}]
[--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
[--expires]
[--file]
[--not-before]
[--tags]
[--value]Examples
Create a secret (if one doesn't exist) or update a secret in a KeyVault.
az keyvault secret set --name MySecretName --vault-name MyKeyVault --value MyVaultCreate a secret (if one doesn't exist) or update a secret in a KeyVault through a file.
az keyvault secret set --name MySecretName --vault-name MyKeyVault --file /path/to/file --encoding MyEncodingRequired Parameters
Name of the secret.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the Vault.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Description of the secret contents (e.g. password, connection string, etc).
Create secret in disabled state.
| Property | Value |
|---|---|
| Accepted values: | false, true |
Source file encoding. The value is saved as a tag (file-encoding=<val>) and used during download to automatically encode the resulting file.
| Property | Value |
|---|---|
| Parameter group: | Content Source Arguments |
| Default value: | utf-8 |
| Accepted values: | ascii, base64, hex, utf-16be, utf-16le, utf-8 |
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
Source file for secret. Use in conjunction with '--encoding'.
| Property | Value |
|---|---|
| Parameter group: | Content Source Arguments |
Secret not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Plain text secret value. Cannot be used with '--file' or '--encoding'.
| Property | Value |
|---|---|
| Parameter group: | Content Source Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret set-attributes
Updates the attributes associated with a specified secret in a given key vault.
The UPDATE operation changes specified attributes of an existing stored secret. Attributes that are not specified in the request are left unchanged. The value of a secret itself cannot be changed. This operation requires the secrets/set permission.
az keyvault secret set-attributes [--content-type]
[--enabled {false, true}]
[--expires]
[--id]
[--name]
[--not-before]
[--tags]
[--vault-name]
[--version]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Type of the secret value such as a password.
Enable the secret.
| Property | Value |
|---|---|
| Accepted values: | false, true |
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
Id of the secret. If specified all other 'Id' arguments should be omitted.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the secret. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Secret not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Name of the Key Vault. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
The secret version. If omitted, uses the latest version.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret show
Get a specified secret from a given key vault.
The GET operation is applicable to any secret stored in Azure Key Vault. This operation requires the secrets/get permission.
az keyvault secret show [--id]
[--name]
[--vault-name]
[--version]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Id of the secret. If specified all other 'Id' arguments should be omitted.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the secret. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the Key Vault. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
The secret version. If omitted, uses the latest version.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az keyvault secret show-deleted
Gets the specified deleted secret.
The Get Deleted Secret operation returns the specified deleted secret along with its attributes. This operation requires the secrets/get permission.
az keyvault secret show-deleted [--id]
[--name]
[--vault-name]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The recovery id of the secret. If specified all other 'Id' arguments should be omitted.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the secret. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Name of the Vault. Required if --id is not specified.
| Property | Value |
|---|---|
| Parameter group: | Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
