az keyvault secret
Manage secrets.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az keyvault secret backup |
Backs up the specified secret. |
Core | GA |
| az keyvault secret delete |
Delete all versions of a secret. |
Core | Deprecated |
| az keyvault secret download |
Download a secret from a KeyVault. |
Core | GA |
| az keyvault secret list |
List secrets in a specified key vault. |
Core | GA |
| az keyvault secret list-deleted |
Lists deleted secrets for the specified vault. |
Core | GA |
| az keyvault secret list-versions |
List all versions of the specified secret. |
Core | GA |
| az keyvault secret purge |
Permanently deletes the specified secret. |
Core | GA |
| az keyvault secret recover |
Recovers the deleted secret to the latest version. |
Core | GA |
| az keyvault secret restore |
Restores a backed up secret to a vault. |
Core | GA |
| az keyvault secret set |
Create a secret (if one doesn't exist) or update a secret in a KeyVault. |
Core | GA |
| az keyvault secret set-attributes |
Updates the attributes associated with a specified secret in a given key vault. |
Core | GA |
| az keyvault secret show |
Get a specified secret from a given key vault. |
Core | GA |
| az keyvault secret show-deleted |
Gets the specified deleted secret. |
Core | GA |
az keyvault secret backup
Backs up the specified secret.
Requests that a backup of the specified secret be downloaded to the client. All versions of the secret will be downloaded. This operation requires the secrets/backup permission.
az keyvault secret backup --file
[--id]
[--name]
[--vault-name]Required Parameters
File to receive the secret contents.
Optional Parameters
Id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret delete
Warning! If you have soft-delete protection enabled on this key vault, this secret will be moved to the soft deleted state. You will not be able to create a secret with the same name within this key vault until the secret has been purged from the soft-deleted state. Please see the following documentation for additional guidance. https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview
Delete all versions of a secret.
Requires secrets/delete permission. When this method returns Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.
az keyvault secret delete [--id]
[--name]
[--vault-name]Optional Parameters
Id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret download
Download a secret from a KeyVault.
az keyvault secret download --file
[--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
[--id]
[--name]
[--vault-name]
[--version]Required Parameters
File to receive the secret contents.
Optional Parameters
Encoding of the secret. By default, will look for the 'file-encoding' tag on the secret. Otherwise will assume 'utf-8'.
Id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
The secret version. If omitted, uses the latest version.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret list
List secrets in a specified key vault.
The Get Secrets operation is applicable to the entire vault. However, only the base secret identifier and its attributes are provided in the response. Individual secret versions are not listed in the response. This operation requires the secrets/list permission.
az keyvault secret list [--id]
[--include-managed {false, true}]
[--maxresults]
[--vault-name]Optional Parameters
Full URI of the Vault. If specified all other 'Id' arguments should be omitted.
Include managed secrets. Default: false.
Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
Name of the Key Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret list-deleted
Lists deleted secrets for the specified vault.
The Get Deleted Secrets operation returns the secrets that have been deleted for a vault enabled for soft-delete. This operation requires the secrets/list permission.
az keyvault secret list-deleted [--id]
[--maxresults]
[--vault-name]Optional Parameters
Full URI of the Vault. If specified all other 'Id' arguments should be omitted.
Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
Name of the Key Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret list-versions
List all versions of the specified secret.
The full secret identifier and attributes are provided in the response. No values are returned for the secrets. This operations requires the secrets/list permission.
az keyvault secret list-versions [--id]
[--maxresults]
[--name]
[--vault-name]Optional Parameters
Id of the secret. If specified all other 'Id' arguments should be omitted.
Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
Name of the secret. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret purge
Permanently deletes the specified secret.
The purge deleted secret operation removes the secret permanently, without the possibility of recovery. This operation can only be enabled on a soft-delete enabled vault. This operation requires the secrets/purge permission.
az keyvault secret purge [--id]
[--name]
[--vault-name]Optional Parameters
The recovery id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret recover
Recovers the deleted secret to the latest version.
Recovers the deleted secret in the specified vault. This operation can only be performed on a soft-delete enabled vault. This operation requires the secrets/recover permission.
az keyvault secret recover [--id]
[--name]
[--vault-name]Optional Parameters
The recovery id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret restore
Restores a backed up secret to a vault.
Restores a backed up secret, and all its versions, to a vault. This operation requires the secrets/restore permission.
az keyvault secret restore --file
--vault-nameRequired Parameters
File to receive the secret contents.
Name of the Vault.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret set
Create a secret (if one doesn't exist) or update a secret in a KeyVault.
az keyvault secret set --name
--vault-name
[--content-type]
[--disabled {false, true}]
[--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
[--expires]
[--file]
[--not-before]
[--tags]
[--value]Examples
Create a secret (if one doesn't exist) or update a secret in a KeyVault.
az keyvault secret set --name MySecretName --vault-name MyKeyVault --value MyVaultCreate a secret (if one doesn't exist) or update a secret in a KeyVault through a file.
az keyvault secret set --name MySecretName --vault-name MyKeyVault --file /path/to/file --encoding MyEncodingRequired Parameters
Name of the secret.
Name of the Vault.
Optional Parameters
Description of the secret contents (e.g. password, connection string, etc).
Create secret in disabled state.
Source file encoding. The value is saved as a tag (file-encoding=<val>) and used during download to automatically encode the resulting file.
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
Source file for secret. Use in conjunction with '--encoding'.
Secret not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Plain text secret value. Cannot be used with '--file' or '--encoding'.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret set-attributes
Updates the attributes associated with a specified secret in a given key vault.
The UPDATE operation changes specified attributes of an existing stored secret. Attributes that are not specified in the request are left unchanged. The value of a secret itself cannot be changed. This operation requires the secrets/set permission.
az keyvault secret set-attributes [--content-type]
[--enabled {false, true}]
[--expires]
[--id]
[--name]
[--not-before]
[--tags]
[--vault-name]
[--version]Optional Parameters
Type of the secret value such as a password.
Enable the secret.
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
Id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Secret not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Name of the Key Vault. Required if --id is not specified.
The secret version. If omitted, uses the latest version.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret show
Get a specified secret from a given key vault.
The GET operation is applicable to any secret stored in Azure Key Vault. This operation requires the secrets/get permission.
az keyvault secret show [--id]
[--name]
[--vault-name]
[--version]Optional Parameters
Id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
The secret version. If omitted, uses the latest version.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az keyvault secret show-deleted
Gets the specified deleted secret.
The Get Deleted Secret operation returns the specified deleted secret along with its attributes. This operation requires the secrets/get permission.
az keyvault secret show-deleted [--id]
[--name]
[--vault-name]Optional Parameters
The recovery id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for