Get-AzKeyVaultSecret

Module:

Az.KeyVault

Gets the secrets in a key vault.

Syntax

Get-AzKeyVaultSecret
   [-VaultName] <String>
   [[-Name] <String>]
   [-InRemovedState]
   [-AsPlainText]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Get-AzKeyVaultSecret
   [-VaultName] <String>
   [-Name] <String>
   [-Version] <String>
   [-AsPlainText]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Get-AzKeyVaultSecret
   [-VaultName] <String>
   [-Name] <String>
   [-IncludeVersions]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Get-AzKeyVaultSecret
   [-InputObject] <PSKeyVault>
   [[-Name] <String>]
   [-InRemovedState]
   [-AsPlainText]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Get-AzKeyVaultSecret
   [-InputObject] <PSKeyVault>
   [-Name] <String>
   [-Version] <String>
   [-AsPlainText]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Get-AzKeyVaultSecret
   [-InputObject] <PSKeyVault>
   [-Name] <String>
   [-IncludeVersions]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Get-AzKeyVaultSecret
   [-ResourceId] <String>
   [[-Name] <String>]
   [-InRemovedState]
   [-AsPlainText]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Get-AzKeyVaultSecret
   [-ResourceId] <String>
   [-Name] <String>
   [-Version] <String>
   [-AsPlainText]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Get-AzKeyVaultSecret
   [-ResourceId] <String>
   [-Name] <String>
   [-IncludeVersions]
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Description

The Get-AzKeyVaultSecret cmdlet gets secrets in a key vault. This cmdlet gets a specific secret or all the secrets in a key vault.

Examples

Example 1: Get all current versions of all secrets in a key vault

Get-AzKeyVaultSecret -VaultName 'Contoso'

Vault Name   : contoso
Name         : secret1
Version      :
Id           : https://contoso.vault.azure.net:443/secrets/secret1
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

Vault Name   : contoso
Name         : secret2
Version      :
Id           : https://contoso.vault.azure.net:443/secrets/secret2
Enabled      : True
Expires      :
Not Before   :
Created      : 4/11/2018 11:45:06 PM
Updated      : 4/11/2018 11:45:06 PM
Content Type :
Tags         :

This command gets the current versions of all secrets in the key vault named Contoso.

Example 2: Get all versions of a specific secret

Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'secret1' -IncludeVersions

Vault Name   : contoso
Name         : secret1
Version      : 7128133570f84a71b48d7d0550deb74c
Id           : https://contoso.vault.azure.net:443/secrets/secret1/7128133570f84a71b48d7d0550deb74c
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

Vault Name   : contoso
Name         : secret1
Version      : 5d1a74ba2c454439886fb8509b6cab3c
Id           : https://contoso.vault.azure.net:443/secrets/secret1/5d1a74ba2c454439886fb8509b6cab3c
Enabled      : True
Expires      :
Not Before   :
Created      : 4/5/2018 11:44:50 PM
Updated      : 4/5/2018 11:44:50 PM
Content Type :
Tags         :

This command gets all versions of the secret named secret1 in the key vault named Contoso.

Example 3: Get the current version of a specific secret

Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'secret1'

Vault Name   : contoso
Name         : secret1
Version      : 7128133570f84a71b48d7d0550deb74c
Id           : https://contoso.vault.azure.net:443/secrets/secret1/7128133570f84a71b48d7d0550deb74c
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

This command gets the current version of the secret named secret1 in the key vault named Contoso.

Example 4: Get a specific version of a specific secret

Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'secret1' -Version '5d1a74ba2c454439886fb8509b6cab3c'

Vault Name   : contoso
Name         : secret1
Version      : 5d1a74ba2c454439886fb8509b6cab3c
Id           : https://contoso.vault.azure.net:443/secrets/secret1/5d1a74ba2c454439886fb8509b6cab3c
Enabled      : True
Expires      :
Not Before   :
Created      : 4/5/2018 11:44:50 PM
Updated      : 4/5/2018 11:44:50 PM
Content Type :
Tags         :

This command gets a specific version of the secret named secret1 in the key vault named Contoso.

Example 5: Get the plain text value of the current version of a specific secret

$secretText = Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -AsPlainText

The cmdlet returns the secret as a string when -AsPlainText is applied.

Note: When listing secrets, i.e. not providing -Name, the -AsPlainText is ignored.

Example 6: Get all the secrets that have been deleted but not purged for this key vault.

Get-AzKeyVaultSecret -VaultName 'Contoso' -InRemovedState

Vault Name           : contoso
Name                 : secret1
Id                   : https://contoso.vault.azure.net:443/secrets/secret1
Deleted Date         : 4/4/2018 8:51:58 PM
Scheduled Purge Date : 7/3/2018 8:51:58 PM
Enabled              : True
Expires              :
Not Before           :
Created              : 4/4/2018 8:51:03 PM
Updated              : 4/4/2018 8:51:03 PM
Content Type         :
Tags                 :

Vault Name           : contoso
Name                 : secret2
Id                   : https://contoso.vault.azure.net:443/secrets/secret2
Deleted Date         : 5/7/2018 7:56:34 PM
Scheduled Purge Date : 8/5/2018 7:56:34 PM
Enabled              : True
Expires              :
Not Before           :
Created              : 4/6/2018 8:39:15 PM
Updated              : 4/6/2018 10:11:24 PM
Content Type         :
Tags                 :

This command gets all the secrets that have been previously deleted, but not purged, in the key vault named Contoso.

Example 7: Gets the secret ITSecret that has been deleted but not purged for this key vault.

Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'secret1' -InRemovedState

Vault Name           : contoso
Name                 : secret1
Version              : 689d23346e9c42a2a64f4e3d75094dcc
Id                   : https://contoso.vault.azure.net:443/secrets/secret1/689d23346e9c42a2a64f4e3d75094dcc
Deleted Date         : 4/4/2018 8:51:58 PM
Scheduled Purge Date : 7/3/2018 8:51:58 PM
Enabled              : True
Expires              :
Not Before           :
Created              : 4/4/2018 8:51:03 PM
Updated              : 4/4/2018 8:51:03 PM
Content Type         :
Tags                 :

This command gets the secret 'secret1' that has been previously deleted, but not purged, in the key vault named Contoso. This command will return metadata such as the deletion date, and the scheduled purging date of this deleted secret.

Example 8: Get all current versions of all secrets in a key vault using filtering

Get-AzKeyVaultSecret -VaultName 'Contoso' -Name "secret*"

Vault Name   : contoso
Name         : secret1
Version      :
Id           : https://contoso.vault.azure.net:443/secrets/secret1
Enabled      : True
Expires      : 4/6/2018 3:59:43 PM
Not Before   :
Created      : 4/5/2018 11:46:28 PM
Updated      : 4/6/2018 11:30:17 PM
Content Type :
Tags         :

Vault Name   : contoso
Name         : secret2
Version      :
Id           : https://contoso.vault.azure.net:443/secrets/secret2
Enabled      : True
Expires      :
Not Before   :
Created      : 4/11/2018 11:45:06 PM
Updated      : 4/11/2018 11:45:06 PM
Content Type :
Tags         :

This command gets the current versions of all secrets in the key vault named Contoso that start with "secret".

Example 9: Get a secret in Azure Key Vault by command Get-Secret in module Microsoft.PowerShell.SecretManagement

# Install module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretManagement -Repository PSGallery -AllowPrerelease
# Register vault for Secret Management
Register-SecretVault -Name AzKeyVault -ModuleName Az.KeyVault -VaultParameters @{ AZKVaultName = 'test-kv'; SubscriptionId = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' }
# Set secret for vault AzKeyVault
$secure = ConvertTo-SecureString -String "****" -AsPlainText -Force
Set-Secret -Vault AzKeyVault -Name secureSecret -SecureStringSecret $secure 
Get-Secret -Vault AzKeyVault -Name secureSecret -AsPlainText

Password

This example Gets a secret named secureSecret in Azure Key Vault named test-kv by command Get-Secret in module Microsoft.PowerShell.SecretManagement.

Parameters

-AsPlainText

When set, the cmdlet will convert secret in secure string to the decrypted plaintext string as output.

Type:	SwitchParameter
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:	IAzureContextContainer
Aliases:	AzContext, AzureRmContext, AzureCredential
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-IncludeVersions

Indicates that this cmdlet gets all versions of a secret. The current version of a secret is the first one on the list. If you specify this parameter you must also specify the Name and VaultName parameters. If you do not specify the IncludeVersions parameter, this cmdlet gets the current version of the secret with the specified Name.

Type:	SwitchParameter
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-InputObject

KeyVault Object.

Type:	PSKeyVault
Position:	0
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-InRemovedState

Specifies whether to show the previously deleted secrets in the output

Type:	SwitchParameter
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-Name

Specifies the name of the secret to get.

Type:	String
Aliases:	SecretName
Position:	1
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	True

-ResourceId

KeyVault Resource Id.

Type:	String
Position:	0
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-VaultName

Specifies the name of the key vault to which the secret belongs. This cmdlet constructs the fully qualified domain name (FQDN) of a key vault based on the name that this parameter specifies and your current environment.

Type:	String
Position:	0
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-Version

Specifies the secret version. This cmdlet constructs the FQDN of a secret based on the key vault name, your currently selected environment, the secret name, and the secret version.

Type:	String
Aliases:	SecretVersion
Position:	2
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

Inputs

PSKeyVault

String

Outputs

PSKeyVaultSecretIdentityItem

PSKeyVaultSecret

PSDeletedKeyVaultSecretIdentityItem

PSDeletedKeyVaultSecret

Related Links

• Remove-AzKeyVaultSecret
• Undo-AzKeyVaultSecretRemoval
• Set-AzKeyVaultSecret