Quickstart: Set and retrieve a secret from Azure Key Vault using PowerShell

Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault, you may review the Overview. In this quickstart, you use PowerShell to create a key vault. You then store a secret in the newly created vault.

If you don't have an Azure subscription, create a free account before you begin.

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell. Screenshot that shows an example of Try It for Azure Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Button to launch Azure Cloud Shell.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Screenshot that shows the Cloud Shell button in the Azure portal

To use Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block (or command block) to copy the code or command.

  3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code or command.

If you choose to install and use PowerShell locally, this tutorial requires Azure PowerShell module version 5.0.0 or later. Type Get-Module az -ListAvailable to find the version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.


Create a resource group

A resource group is a logical container into which Azure resources are deployed and managed. Use the Azure PowerShell New-AzResourceGroup cmdlet to create a resource group named myResourceGroup in the eastus location.

New-AzResourceGroup -Name "myResourceGroup" -Location "EastUS"

Create a key vault

Use the Azure PowerShell New-AzKeyVault cmdlet to create a Key Vault in the resource group from the previous step. You need to provide some information:

  • Key vault name: A string of 3 to 24 characters that can contain only numbers (0-9), letters (a-z, A-Z), and hyphens (-)


    Each key vault must have a unique name. Replace <your-unique-keyvault-name> with the name of your key vault in the following examples.

  • Resource group name: myResourceGroup.

  • The location: EastUS.

New-AzKeyVault -Name "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup" -Location "EastUS"

The output of this cmdlet shows properties of the newly created key vault. Take note of these two properties:

  • Vault Name: The name you provided to the -Name parameter.
  • Vault URI: In the example, this URI is https://<your-unique-keyvault-name>.vault.azure.net/. Applications that use your vault through its REST API must use this URI.

At this point, your Azure account is the only one authorized to perform any operations on this new vault.

Give your user account permissions to manage secrets in Key Vault

To grant your application permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure PowerShell cmdlet New-AzRoleAssignment.

New-AzRoleAssignment -RoleDefinitionName "Key Vault Secrets User" -SignInName "<your-email-address>" -Scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"

Replace <your-email-address>, <subscription-id>, <resource-group-name> and <your-unique-keyvault-name> with your actual values. <your-email-address> is your sign-in name; you can instead use the -ObjectId parameter and a Microsoft Entra Object ID.

Adding a secret to Key Vault

To add a secret to the vault, you just need to take a couple of steps. In this case, you add a password that could be used by an application. The password is called ExamplePassword and stores the value of hVFkk965BuUv in it.

First convert the value of hVFkk965BuUv to a secure string by typing:

$secretvalue = ConvertTo-SecureString "hVFkk965BuUv" -AsPlainText -Force

Then, use the Azure PowerShell Set-AzKeyVaultSecret cmdlet to create a secret in Key Vault called ExamplePassword with the value hVFkk965BuUv :

$secret = Set-AzKeyVaultSecret -VaultName "<your-unique-keyvault-name>" -Name "ExamplePassword" -SecretValue $secretvalue

Retrieve a secret from Key Vault

To view the value contained in the secret as plain text, use the Azure PowerShell Get-AzKeyVaultSecret cmdlet:

$secret = Get-AzKeyVaultSecret -VaultName "<your-unique-keyvault-name>" -Name "ExamplePassword" -AsPlainText

Now, you have created a Key Vault, stored a secret, and retrieved it.

Clean up resources

Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with other quickstarts and tutorials, you may want to leave these resources in place.

When no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group, Key Vault, and all related resources.

Remove-AzResourceGroup -Name myResourceGroup

Next steps

In this quickstart you created a Key Vault and stored a secret in it. To learn more about Key Vault and how to integrate it with your applications, continue on to the articles below.