az keyvault secret
Manage secrets.
Name | Description | Type | Status |
---|---|---|---|
az keyvault secret backup |
Backs up the specified secret. |
Core | GA |
az keyvault secret delete |
Delete all versions of a secret. |
Core | Deprecated |
az keyvault secret download |
Download a secret from a KeyVault. |
Core | GA |
az keyvault secret list |
List secrets in a specified key vault. |
Core | GA |
az keyvault secret list-deleted |
Lists deleted secrets for the specified vault. |
Core | GA |
az keyvault secret list-versions |
List all versions of the specified secret. |
Core | GA |
az keyvault secret purge |
Permanently deletes the specified secret. |
Core | GA |
az keyvault secret recover |
Recovers the deleted secret to the latest version. |
Core | GA |
az keyvault secret restore |
Restores a backed up secret to a vault. |
Core | GA |
az keyvault secret set |
Create a secret (if one doesn't exist) or update a secret in a KeyVault. |
Core | GA |
az keyvault secret set-attributes |
Updates the attributes associated with a specified secret in a given key vault. |
Core | GA |
az keyvault secret show |
Get a specified secret from a given key vault. |
Core | GA |
az keyvault secret show-deleted |
Gets the specified deleted secret. |
Core | GA |
Backs up the specified secret.
Requests that a backup of the specified secret be downloaded to the client. All versions of the secret will be downloaded. This operation requires the secrets/backup permission.
az keyvault secret backup --file
[--id]
[--name]
[--vault-name]
File to receive the secret contents.
Id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Warning! If you have soft-delete protection enabled on this key vault, this secret will be moved to the soft deleted state. You will not be able to create a secret with the same name within this key vault until the secret has been purged from the soft-deleted state. Please see the following documentation for additional guidance. https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview
Delete all versions of a secret.
Requires secrets/delete permission. When this method returns Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.
az keyvault secret delete [--id]
[--name]
[--vault-name]
Id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Download a secret from a KeyVault.
az keyvault secret download --file
[--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
[--id]
[--name]
[--vault-name]
[--version]
File to receive the secret contents.
Encoding of the secret. By default, will look for the 'file-encoding' tag on the secret. Otherwise will assume 'utf-8'.
Id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
The secret version. If omitted, uses the latest version.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
List secrets in a specified key vault.
The Get Secrets operation is applicable to the entire vault. However, only the base secret identifier and its attributes are provided in the response. Individual secret versions are not listed in the response. This operation requires the secrets/list permission.
az keyvault secret list [--id]
[--include-managed {false, true}]
[--maxresults]
[--vault-name]
Full URI of the Vault. If specified all other 'Id' arguments should be omitted.
Include managed secrets. Default: false.
Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
Name of the Key Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Lists deleted secrets for the specified vault.
The Get Deleted Secrets operation returns the secrets that have been deleted for a vault enabled for soft-delete. This operation requires the secrets/list permission.
az keyvault secret list-deleted [--id]
[--maxresults]
[--vault-name]
Full URI of the Vault. If specified all other 'Id' arguments should be omitted.
Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
Name of the Key Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
List all versions of the specified secret.
The full secret identifier and attributes are provided in the response. No values are returned for the secrets. This operations requires the secrets/list permission.
az keyvault secret list-versions [--id]
[--maxresults]
[--name]
[--vault-name]
Id of the secret. If specified all other 'Id' arguments should be omitted.
Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
Name of the secret. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Permanently deletes the specified secret.
The purge deleted secret operation removes the secret permanently, without the possibility of recovery. This operation can only be enabled on a soft-delete enabled vault. This operation requires the secrets/purge permission.
az keyvault secret purge [--id]
[--name]
[--vault-name]
The recovery id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Recovers the deleted secret to the latest version.
Recovers the deleted secret in the specified vault. This operation can only be performed on a soft-delete enabled vault. This operation requires the secrets/recover permission.
az keyvault secret recover [--id]
[--name]
[--vault-name]
The recovery id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Restores a backed up secret to a vault.
Restores a backed up secret, and all its versions, to a vault. This operation requires the secrets/restore permission.
az keyvault secret restore --file
--vault-name
File to receive the secret contents.
Name of the Vault.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Create a secret (if one doesn't exist) or update a secret in a KeyVault.
az keyvault secret set --name
--vault-name
[--content-type]
[--disabled {false, true}]
[--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
[--expires]
[--file]
[--not-before]
[--tags]
[--value]
Create a secret (if one doesn't exist) or update a secret in a KeyVault.
az keyvault secret set --name MySecretName --vault-name MyKeyVault --value MyVault
Create a secret (if one doesn't exist) or update a secret in a KeyVault through a file.
az keyvault secret set --name MySecretName --vault-name MyKeyVault --file /path/to/file --encoding MyEncoding
Name of the secret.
Name of the Vault.
Description of the secret contents (e.g. password, connection string, etc).
Create secret in disabled state.
Source file encoding. The value is saved as a tag (file-encoding=<val>
) and used during download to automatically encode the resulting file.
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
Source file for secret. Use in conjunction with '--encoding'.
Secret not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Plain text secret value. Cannot be used with '--file' or '--encoding'.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Updates the attributes associated with a specified secret in a given key vault.
The UPDATE operation changes specified attributes of an existing stored secret. Attributes that are not specified in the request are left unchanged. The value of a secret itself cannot be changed. This operation requires the secrets/set permission.
az keyvault secret set-attributes [--content-type]
[--enabled {false, true}]
[--expires]
[--id]
[--name]
[--not-before]
[--tags]
[--vault-name]
[--version]
Type of the secret value such as a password.
Enable the secret.
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
Id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Secret not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Name of the Key Vault. Required if --id is not specified.
The secret version. If omitted, uses the latest version.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Get a specified secret from a given key vault.
The GET operation is applicable to any secret stored in Azure Key Vault. This operation requires the secrets/get permission.
az keyvault secret show [--id]
[--name]
[--vault-name]
[--version]
Id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Key Vault. Required if --id is not specified.
The secret version. If omitted, uses the latest version.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Gets the specified deleted secret.
The Get Deleted Secret operation returns the specified deleted secret along with its attributes. This operation requires the secrets/get permission.
az keyvault secret show-deleted [--id]
[--name]
[--vault-name]
The recovery id of the secret. If specified all other 'Id' arguments should be omitted.
Name of the secret. Required if --id is not specified.
Name of the Vault. Required if --id is not specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Azure CLI feedback
Azure CLI is an open source project. Select a link to provide feedback: