Quickstart: Set and retrieve a key from Azure Key Vault using Azure CLI
In this quickstart, you create a key vault in Azure Key Vault with Azure CLI. Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault you may review the Overview. Azure CLI is used to create and manage Azure resources using commands or scripts. Once that you have completed that, you will store a key.
You can use either the Azure Cloud Shell or a local Azure CLI.
Azure Cloud Shell with the Bash environment. Or launch the Cloud Shell here.
Local Azure CLI, see how to install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
When you first use Azure CLI, install the Azure CLI extension. For more information about extensions, see Use extensions with the Azure CLI.
- This quickstart requires version 2.0.4 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
Create a resource group
A resource group is a logical container into which Azure resources are deployed and managed. Use the az group create command to create a resource group named myResourceGroup in the eastus location.
az group create --name "myResourceGroup" --location "EastUS"
Create a key vault
Use the Azure CLI az keyvault create command to create a Key Vault in the resource group from the previous step. You will need to provide some information:
Key vault name: A string of 3 to 24 characters that can contain only numbers (0-9), letters (a-z, A-Z), and hyphens (-)
Each key vault must have a unique name. Replace <your-unique-keyvault-name> with the name of your key vault in the following examples.
Resource group name: myResourceGroup.
The location: EastUS.
az keyvault create --name "<your-unique-keyvault-name>" --resource-group "myResourceGroup" --location "EastUS"
The output of this command shows properties of the newly created key vault. Take note of the two properties listed below:
- Vault Name: The name you provided to the --name parameter above.
- Vault URI: In the example, this is https://<your-unique-keyvault-name>.vault.azure.net/. Applications that use your vault through its REST API must use this URI.
At this point, your Azure account is the only one authorized to perform any operations on this new vault.
Add a key to Key Vault
To add a key to the vault, you just need to take a couple of additional steps. This key could be used by an application.
Type the commands below to create a key called ExampleKey :
az keyvault key create --vault-name "<your-unique-keyvault-name>" -n ExampleKey --protection software
You can now reference this key that you added to Azure Key Vault by using its URI. Use
https://<your-unique-keyvault-name>.vault.azure.net/keys/ExampleKey to get the current version.
To view previously stored key:
az keyvault key show --name "ExampleKey" --vault-name "<your-unique-keyvault-name>"
Now, you have created a Key Vault, stored a key, and retrieved it.
Clean up resources
Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave these resources in place.
When no longer needed, you can use the Azure CLI az group delete command to remove the resource group and all related resources:
az group delete --name "myResourceGroup"
In this quickstart you created a Key Vault and stored a key in it. To learn more about Key Vault and how to integrate it with your applications, continue on to the articles below.
Submit and view feedback for