Edit

Share via

Get-AzKeyVaultSecret

Module:
Az.KeyVault Module

Gets the secrets in a key vault.

Syntax

ByVaultName (Default) 

Get-AzKeyVaultSecret
    [-VaultName] <String>
    [[-Name] <String>]
    [-InRemovedState]
    [-AsPlainText]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

BySecretName 

Get-AzKeyVaultSecret
    [-VaultName] <String>
    [-Name] <String>
    [-Version] <String>
    [-AsPlainText]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

BySecretVersions 

Get-AzKeyVaultSecret
    [-VaultName] <String>
    [-Name] <String>
    [-IncludeVersions]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ByInputObjectVaultName 

Get-AzKeyVaultSecret
    [-InputObject] <PSKeyVault>
    [[-Name] <String>]
    [-InRemovedState]
    [-AsPlainText]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ByInputObjectSecretName 

Get-AzKeyVaultSecret
    [-InputObject] <PSKeyVault>
    [-Name] <String>
    [-Version] <String>
    [-AsPlainText]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ByInputObjectSecretVersions 

Get-AzKeyVaultSecret
    [-InputObject] <PSKeyVault>
    [-Name] <String>
    [-IncludeVersions]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

BySecretUri 

Get-AzKeyVaultSecret
    [-Id] <String>
    [-InRemovedState]
    [-AsPlainText]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ByParentResourceIdVaultName 

Get-AzKeyVaultSecret
    [-ParentResourceId] <String>
    [[-Name] <String>]
    [-InRemovedState]
    [-AsPlainText]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ByParentResourceIdSecretName 

Get-AzKeyVaultSecret
    [-ParentResourceId] <String>
    [-Name] <String>
    [-Version] <String>
    [-AsPlainText]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

ByParentResourceIdSecretVersions 

Get-AzKeyVaultSecret
    [-ParentResourceId] <String>
    [-Name] <String>
    [-IncludeVersions]
    [-DefaultProfile <IAzureContextContainer>]
    [<CommonParameters>]

Description

The Get-AzKeyVaultSecret cmdlet gets secrets in a key vault. This cmdlet gets a specific secret or all the secrets in a key vault.

Examples

Example 1: Get all current versions of all secrets in a key vault

Get-AzKeyVaultSecret -VaultName 'Contoso'

Vault Name   : contoso
Name         : secret1
Version      :
Id           : https://contoso.vault.azure.net:443/secrets/secret1
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

Vault Name   : contoso
Name         : secret2
Version      :
Id           : https://contoso.vault.azure.net:443/secrets/secret2
Enabled      : True
Expires      :
Not Before   :
Created      : 4/11/2018 11:45:06 PM
Updated      : 4/11/2018 11:45:06 PM
Content Type :
Tags         :

This command gets the current versions of all secrets in the key vault named Contoso.

Example 2: Get all versions of a specific secret

Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'secret1' -IncludeVersions

Vault Name   : contoso
Name         : secret1
Version      : 7128133570f84a71b48d7d0550deb74c
Id           : https://contoso.vault.azure.net:443/secrets/secret1/7128133570f84a71b48d7d0550deb74c
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

Vault Name   : contoso
Name         : secret1
Version      : 5d1a74ba2c454439886fb8509b6cab3c
Id           : https://contoso.vault.azure.net:443/secrets/secret1/5d1a74ba2c454439886fb8509b6cab3c
Enabled      : True
Expires      :
Not Before   :
Created      : 4/5/2018 11:44:50 PM
Updated      : 4/5/2018 11:44:50 PM
Content Type :
Tags         :

This command gets all versions of the secret named secret1 in the key vault named Contoso.

Example 3: Get the current version of a specific secret

Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'secret1'

Vault Name   : contoso
Name         : secret1
Version      : 7128133570f84a71b48d7d0550deb74c
Id           : https://contoso.vault.azure.net:443/secrets/secret1/7128133570f84a71b48d7d0550deb74c
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

This command gets the current version of the secret named secret1 in the key vault named Contoso.

Example 4: Get a specific version of a specific secret

Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'secret1' -Version '5d1a74ba2c454439886fb8509b6cab3c'

Vault Name   : contoso
Name         : secret1
Version      : 5d1a74ba2c454439886fb8509b6cab3c
Id           : https://contoso.vault.azure.net:443/secrets/secret1/5d1a74ba2c454439886fb8509b6cab3c
Enabled      : True
Expires      :
Not Before   :
Created      : 4/5/2018 11:44:50 PM
Updated      : 4/5/2018 11:44:50 PM
Content Type :
Tags         :

This command gets a specific version of the secret named secret1 in the key vault named Contoso.

Example 5: Get the current version of a specific secret using Uri

Get-AzKeyVaultSecret -Id 'https://contoso.vault.azure.net/secrets/secret1/'

Vault Name   : contoso
Name         : secret1
Version      : 7128133570f84a71b48d7d0550deb74c
Id           : https://contoso.vault.azure.net:443/secrets/secret1/7128133570f84a71b48d7d0550deb74c
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

This command gets the current version of the secret named secret1 in the key vault named Contoso.

Example 6: Get a specific version of a specific secret using Uri

Get-AzKeyVaultSecret -Id 'https://contoso.vault.azure.net/secrets/secret1/7128133570f84a71b48d7d0550deb74c'

Vault Name   : contoso
Name         : secret1
Version      : 7128133570f84a71b48d7d0550deb74c
Id           : https://contoso.vault.azure.net:443/secrets/secret1/7128133570f84a71b48d7d0550deb74c
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

This command gets a specific version of the secret named secret1 in the key vault named Contoso.

Example 7: Get the current version of all the secrets using Uri

Get-AzKeyVaultSecret -Id 'https://contoso.vault.azure.net/secrets/'

Vault Name   : contoso
Name         : secret1
Version      : 7128133570f84a71b48d7d0550deb74c
Id           : https://contoso.vault.azure.net:443/secrets/secret1/7128133570f84a71b48d7d0550deb74c
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

Vault Name   : contoso
Name         : secret2
Version      : 7128133570f84a71b48d7d0550deb74c
Id           : https://contoso.vault.azure.net:443/secrets/secret2/7128133570f84a71b48d7d0550deb74c
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

This command gets the current version of all the secrets in the key vault named Contoso.

Example 8: Get the plain text value of the current version of a specific secret

$secretText = Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -AsPlainText

The cmdlet returns the secret as a string when -AsPlainText is applied.

Note: When listing secrets, i.e. not providing -Name, the -AsPlainText is ignored.

Example 9: Get all the secrets that have been deleted but not purged for this key vault.

Get-AzKeyVaultSecret -VaultName 'Contoso' -InRemovedState

Vault Name           : contoso
Name                 : secret1
Id                   : https://contoso.vault.azure.net:443/secrets/secret1
Deleted Date         : 4/4/2018 8:51:58 PM
Scheduled Purge Date : 7/3/2018 8:51:58 PM
Enabled              : True
Expires              :
Not Before           :
Created              : 4/4/2018 8:51:03 PM
Updated              : 4/4/2018 8:51:03 PM
Content Type         :
Tags                 :

Vault Name           : contoso
Name                 : secret2
Id                   : https://contoso.vault.azure.net:443/secrets/secret2
Deleted Date         : 5/7/2018 7:56:34 PM
Scheduled Purge Date : 8/5/2018 7:56:34 PM
Enabled              : True
Expires              :
Not Before           :
Created              : 4/6/2018 8:39:15 PM
Updated              : 4/6/2018 10:11:24 PM
Content Type         :
Tags                 :

This command gets all the secrets that have been previously deleted, but not purged, in the key vault named Contoso.

Example 10: Gets the secret ITSecret that has been deleted but not purged for this key vault.

Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'secret1' -InRemovedState

Vault Name           : contoso
Name                 : secret1
Version              : 689d23346e9c42a2a64f4e3d75094dcc
Id                   : https://contoso.vault.azure.net:443/secrets/secret1/689d23346e9c42a2a64f4e3d75094dcc
Deleted Date         : 4/4/2018 8:51:58 PM
Scheduled Purge Date : 7/3/2018 8:51:58 PM
Enabled              : True
Expires              :
Not Before           :
Created              : 4/4/2018 8:51:03 PM
Updated              : 4/4/2018 8:51:03 PM
Content Type         :
Tags                 :

This command gets the secret 'secret1' that has been previously deleted, but not purged, in the key vault named Contoso. This command will return metadata such as the deletion date, and the scheduled purging date of this deleted secret.

Example 11: Get all current versions of all secrets in a key vault using filtering

Get-AzKeyVaultSecret -VaultName 'Contoso' -Name "secret*"

Vault Name   : contoso
Name         : secret1
Version      :
Id           : https://contoso.vault.azure.net:443/secrets/secret1
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

Vault Name   : contoso
Name         : secret2
Version      :
Id           : https://contoso.vault.azure.net:443/secrets/secret2
Enabled      : True
Expires      :
Not Before   :
Created      : 4/11/2018 11:45:06 PM
Updated      : 4/11/2018 11:45:06 PM
Content Type :
Tags         :

This command gets the current versions of all secrets in the key vault named Contoso that start with "secret".

Example 12: Get a secret in Azure Key Vault by command Get-Secret in module Microsoft.PowerShell.SecretManagement

# Install module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretManagement -Repository PSGallery -AllowPrerelease
# Register vault for Secret Management
Register-SecretVault -Name AzKeyVault -ModuleName Az.KeyVault -VaultParameters @{ AZKVaultName = 'test-kv'; SubscriptionId = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' }
# Set secret for vault AzKeyVault
$secure = ConvertTo-SecureString -String "****" -AsPlainText -Force
Set-Secret -Vault AzKeyVault -Name secureSecret -SecureStringSecret $secure
Get-Secret -Vault AzKeyVault -Name secureSecret -AsPlainText

Password

This example Gets a secret named secureSecret in Azure Key Vault named test-kv by command Get-Secret in module Microsoft.PowerShell.SecretManagement.

Parameters

-AsPlainText

When set, the cmdlet will convert secret in secure string to the decrypted plaintext string as output.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ByVaultName
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
BySecretName
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByInputObjectVaultName
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByInputObjectSecretName
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
BySecretUri
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByParentResourceIdVaultName
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByParentResourceIdSecretName
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Parameter properties

Type:IAzureContextContainer
Default value:None
Supports wildcards:False
DontShow:False
Aliases:AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Id

The URI of the KeyVault Secret. Please ensure it follows the format: https://<vault-name>.vault.azure.net/secrets/<secret-name>/<version>

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:SecretId

Parameter sets

BySecretUri
Position:0
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-IncludeVersions

Indicates that this cmdlet gets all versions of a secret. The current version of a secret is the first one on the list. If you specify this parameter you must also specify the Name and VaultName parameters. If you do not specify the IncludeVersions parameter, this cmdlet gets the current version of the secret with the specified Name.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

BySecretVersions
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByInputObjectSecretVersions
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByParentResourceIdSecretVersions
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-InputObject

KeyVault Object.

Parameter properties

Type:PSKeyVault
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ByInputObjectVaultName
Position:0
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False
ByInputObjectSecretName
Position:0
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False
ByInputObjectSecretVersions
Position:0
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False

-InRemovedState

Specifies whether to show the previously deleted secrets in the output

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ByVaultName
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByInputObjectVaultName
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
BySecretUri
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByParentResourceIdVaultName
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Name

Specifies the name of the secret to get.

Parameter properties

Type:String
Default value:None
Supports wildcards:True
DontShow:False
Aliases:SecretName

Parameter sets

ByVaultName
Position:1
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByInputObjectVaultName
Position:1
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByParentResourceIdVaultName
Position:1
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ParentResourceId

KeyVault Resource Id.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:ResourceId

Parameter sets

ByParentResourceIdVaultName
Position:0
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ByParentResourceIdSecretName
Position:0
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False
ByParentResourceIdSecretVersions
Position:0
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-VaultName

Specifies the name of the key vault to which the secret belongs. This cmdlet constructs the fully qualified domain name (FQDN) of a key vault based on the name that this parameter specifies and your current environment.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ByVaultName
Position:0
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
BySecretName
Position:0
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
BySecretVersions
Position:0
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Version

Specifies the secret version. This cmdlet constructs the FQDN of a secret based on the key vault name, your currently selected environment, the secret name, and the secret version.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:SecretVersion

Parameter sets

BySecretName
Position:2
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByInputObjectSecretName
Position:2
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
ByParentResourceIdSecretName
Position:2
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

PSKeyVault

String

Outputs

PSKeyVaultSecretIdentityItem

PSKeyVaultSecret

PSDeletedKeyVaultSecretIdentityItem

PSDeletedKeyVaultSecret