Set-AzKeyVaultSecret

Module:: Az.KeyVault Module

Creates or updates a secret in a key vault.

Syntax

Default (Default)

Set-AzKeyVaultSecret
    [-VaultName] <String>
    [-Name] <String>
    [-SecretValue] <SecureString>
    [-Disable]
    [-Expires <DateTime>]
    [-NotBefore <DateTime>]
    [-ContentType <String>]
    [-Tag <Hashtable>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

BySecretUri

Set-AzKeyVaultSecret
    [-Id] <String>
    [-SecretValue] <SecureString>
    [-Disable]
    [-Expires <DateTime>]
    [-NotBefore <DateTime>]
    [-ContentType <String>]
    [-Tag <Hashtable>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

InputObject

Set-AzKeyVaultSecret
    [-InputObject] <PSKeyVaultSecretIdentityItem>
    [-SecretValue] <SecureString>
    [-Disable]
    [-Expires <DateTime>]
    [-NotBefore <DateTime>]
    [-ContentType <String>]
    [-Tag <Hashtable>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

The Set-AzKeyVaultSecret cmdlet creates or updates a secret in a key vault in Azure Key Vault. If the secret does not exist, this cmdlet creates it. If the secret already exists, this cmdlet creates a new version of that secret.

Examples

Example 1: Modify the value of a secret using default attributes

$Secret = ConvertTo-SecureString -String "****" -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -SecretValue $Secret

Vault Name   : Contoso
Name         : ITSecret
Version      : 8b5c0cb0326e4350bd78200fac932b51
Id           : https://contoso.vault.azure.net:443/secrets/ITSecret/8b5c0cb0326e4350bd78200fac932b51
Enabled      : True
Expires      :
Not Before   :
Created      : 5/25/2018 6:39:30 PM
Updated      : 5/25/2018 6:39:30 PM
Content Type :
Tags         :

The first command converts a string into a secure string by using the ConvertTo-SecureString cmdlet, and then stores that string in the $Secret variable. For more information, type Get-Help ConvertTo-SecureString. The second command modifies value of the secret named ITSecret in the key vault named Contoso. The secret value becomes the value stored in $Secret.

Example 2: Modify the value of a secret using custom attributes

$Secret = ConvertTo-SecureString -String "****" -AsPlainText -Force
$Expires = (Get-Date).AddYears(2).ToUniversalTime()
$NBF =(Get-Date).ToUniversalTime()
$Tags = @{ 'Severity' = 'medium'; 'IT' = 'true'}
$ContentType = 'txt'
Set-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -SecretValue $Secret -Expires $Expires -NotBefore $NBF -ContentType $ContentType -Disable -Tags $Tags

Vault Name   : Contoso
Name         : ITSecret
Version      : a2c150be3ea24dd6b8286986e6364851
Id           : https://contoso.vault.azure.net:443/secrets/ITSecret/a2c150be3ea24dd6b8286986e6364851
Enabled      : False
Expires      : 5/25/2020 6:40:00 PM
Not Before   : 5/25/2018 6:40:05 PM
Created      : 5/25/2018 6:41:22 PM
Updated      : 5/25/2018 6:41:22 PM
Content Type : txt
Tags         : Name      Value
               Severity  medium
               IT        true

The first command converts a string into a secure string by using the ConvertTo-SecureString cmdlet, and then stores that string in the $Secret variable. For more information, type Get-Help ConvertTo-SecureString. The next commands define custom attributes for the expiry date, tags, and context type, and store the attributes in variables. The final command modifies values of the secret named ITSecret in the key vault named Contoso, by using the values specified previously as variables.

Example 3: Modify the value of a secret using default attributes (using Uri)

$Secret = ConvertTo-SecureString -String "****" -AsPlainText -Force
Set-AzKeyVaultSecret -Id 'https://contoso.vault.azure.net/secrets/ITSecret' -SecretValue $Secret

Vault Name   : Contoso
Name         : ITSecret
Version      : 8b5c0cb0326e4350bd78200fac932b51
Id           : https://contoso.vault.azure.net:443/secrets/ITSecret/8b5c0cb0326e4350bd78200fac932b51
Enabled      : True
Expires      :
Not Before   :
Created      : 5/25/2018 6:39:30 PM
Updated      : 5/25/2018 6:39:30 PM
Content Type :
Tags         :

This command sets or updates the value of the secret named secret1 in the Key Vault named Contoso using the secret’s URI.

Example 4: Create a secret in azure key vault by command Set-Secret in module Microsoft.PowerShell.SecretManagement

# Install module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretManagement -Repository PSGallery -AllowPrerelease
# Register vault for Secret Management
Register-SecretVault -Name AzKeyVault -ModuleName Az.KeyVault -VaultParameters @{ AZKVaultName = 'test-kv'; SubscriptionId = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' }
# Set secret for vault AzKeyVault
$secure = ConvertTo-SecureString -String "****" -AsPlainText -Force
Set-Secret -Name secureSecret -SecureStringSecret $secure -Vault AzKeyVault

None

This example sets a secret named secureSecret in azure key vault test-kv by command Set-Secret in module Microsoft.PowerShell.SecretManagement.

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	cf

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-ContentType

Specifies the content type of a secret. To delete the existing content type, specify an empty string.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Parameter properties

Type:	IAzureContextContainer
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	AzContext, AzureRmContext, AzureCredential

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Disable

Indicates that this cmdlet disables a secret.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Expires

Specifies the expiration time, as a DateTime object, for the secret that this cmdlet updates. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type Get-Help Get-Date.

Parameter properties

Type:	DateTime
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Id

The URI of the KeyVault Secret. Please ensure it follows the format: https://<vault-name>.vault.azure.net/secrets/<secret-name>/<version>

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	SecretId

Parameter sets

BySecretUri

Position:	0
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-InputObject

Secret object

Parameter properties

Type:	PSKeyVaultSecretIdentityItem
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

InputObject

Position:	0
Mandatory:	True
Value from pipeline:	True
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Name

Specifies the name of a secret to modify. This cmdlet constructs the fully qualified domain name (FQDN) of a secret based on the name that this parameter specifies, the name of the key vault, and your current environment.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	SecretName

Parameter sets

Default

Position:	1
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-NotBefore

Specifies the time, as a DateTime object, before which the secret cannot be used. This parameter uses UTC. To obtain a DateTime object, use the Get-Date cmdlet.

Parameter properties

Type:	DateTime
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-SecretValue

Specifies the value for the secret as a SecureString object. To obtain a SecureString object, use the ConvertTo-SecureString cmdlet. For more information, type Get-Help ConvertTo-SecureString.

Parameter properties

Type:	SecureString
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

(All)

Position:	2
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-Tag

Key-value pairs in the form of a hash table. For example: @{key0="value0";key1=$null;key2="value2"}

Parameter properties

Type:	Hashtable
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	Tags

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-VaultName

Specifies the name of the key vault to which this secret belongs. This cmdlet constructs the FQDN of a key vault based on the name that this parameter specifies and your current environment.

Parameter properties

Type:	String
Default value:	None
Supports wildcards:	False
DontShow:	False

Parameter sets

Default

Position:	0
Mandatory:	True
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:	SwitchParameter
Default value:	None
Supports wildcards:	False
DontShow:	False
Aliases:	wi

Parameter sets

(All)

Position:	Named
Mandatory:	False
Value from pipeline:	False
Value from pipeline by property name:	False
Value from remaining arguments:	False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Share via

Set-AzKeyVaultSecret

Syntax

Default (Default)

BySecretUri

InputObject

Description

Examples

Example 1: Modify the value of a secret using default attributes

Example 2: Modify the value of a secret using custom attributes

Example 3: Modify the value of a secret using default attributes (using Uri)

Example 4: Create a secret in azure key vault by command Set-Secret in module Microsoft.PowerShell.SecretManagement

Parameters

-Confirm

Parameter properties

Parameter sets

-ContentType

Parameter properties

Parameter sets

-DefaultProfile

Parameter properties

Parameter sets

-Disable

Parameter properties

Parameter sets

-Expires

Parameter properties

Parameter sets

-Id

Parameter properties

Parameter sets

-InputObject

Parameter properties

Parameter sets

-Name

Parameter properties

Parameter sets

-NotBefore

Parameter properties

Parameter sets

-SecretValue

Parameter properties

Parameter sets

-Tag

Parameter properties

Parameter sets

-VaultName

Parameter properties

Parameter sets

-WhatIf

Parameter properties

Parameter sets

CommonParameters

Inputs

PSKeyVaultSecretIdentityItem

Outputs

PSKeyVaultSecret

Related Links

Feedback