Share via


az keyvault secret

Manage secrets.

Commands

Name Description Type Status
az keyvault secret backup

Backs up the specified secret.

Core GA
az keyvault secret delete

Delete all versions of a secret.

Core Deprecated
az keyvault secret download

Download a secret from a KeyVault.

Core GA
az keyvault secret list

List secrets in a specified key vault.

Core GA
az keyvault secret list-deleted

Lists deleted secrets for the specified vault.

Core GA
az keyvault secret list-versions

List all versions of the specified secret.

Core GA
az keyvault secret purge

Permanently deletes the specified secret.

Core GA
az keyvault secret recover

Recovers the deleted secret to the latest version.

Core GA
az keyvault secret restore

Restores a backed up secret to a vault.

Core GA
az keyvault secret set

Create a secret (if one doesn't exist) or update a secret in a KeyVault.

Core GA
az keyvault secret set-attributes

Updates the attributes associated with a specified secret in a given key vault.

Core GA
az keyvault secret show

Get a specified secret from a given key vault.

Core GA
az keyvault secret show-deleted

Gets the specified deleted secret.

Core GA

az keyvault secret backup

Backs up the specified secret.

Requests that a backup of the specified secret be downloaded to the client. All versions of the secret will be downloaded. This operation requires the secrets/backup permission.

az keyvault secret backup --file
                          [--id]
                          [--name]
                          [--vault-name]

Required Parameters

--file -f

File to receive the secret contents.

Optional Parameters

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the Key Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret delete

Deprecated

Warning! If you have soft-delete protection enabled on this key vault, this secret will be moved to the soft deleted state. You will not be able to create a secret with the same name within this key vault until the secret has been purged from the soft-deleted state. Please see the following documentation for additional guidance. https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview

Delete all versions of a secret.

Requires secrets/delete permission. When this method returns Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.

az keyvault secret delete [--id]
                          [--name]
                          [--vault-name]

Optional Parameters

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the Key Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret download

Download a secret from a KeyVault.

az keyvault secret download --file
                            [--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
                            [--id]
                            [--name]
                            [--vault-name]
                            [--version]

Required Parameters

--file -f

File to receive the secret contents.

Optional Parameters

--encoding -e

Encoding of the secret. By default, will look for the 'file-encoding' tag on the secret. Otherwise will assume 'utf-8'.

Accepted values: ascii, base64, hex, utf-16be, utf-16le, utf-8
--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the Key Vault. Required if --id is not specified.

--version -v

The secret version. If omitted, uses the latest version.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret list

List secrets in a specified key vault.

The Get Secrets operation is applicable to the entire vault. However, only the base secret identifier and its attributes are provided in the response. Individual secret versions are not listed in the response. This operation requires the secrets/list permission.

az keyvault secret list [--id]
                        [--include-managed {false, true}]
                        [--maxresults]
                        [--vault-name]

Optional Parameters

--id

Full URI of the Vault. If specified all other 'Id' arguments should be omitted.

--include-managed

Include managed secrets. Default: false.

Accepted values: false, true
Default value: False
--maxresults

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

--vault-name

Name of the Key Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret list-deleted

Lists deleted secrets for the specified vault.

The Get Deleted Secrets operation returns the secrets that have been deleted for a vault enabled for soft-delete. This operation requires the secrets/list permission.

az keyvault secret list-deleted [--id]
                                [--maxresults]
                                [--vault-name]

Optional Parameters

--id

Full URI of the Vault. If specified all other 'Id' arguments should be omitted.

--maxresults

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

--vault-name

Name of the Key Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret list-versions

List all versions of the specified secret.

The full secret identifier and attributes are provided in the response. No values are returned for the secrets. This operations requires the secrets/list permission.

az keyvault secret list-versions [--id]
                                 [--maxresults]
                                 [--name]
                                 [--vault-name]

Optional Parameters

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--maxresults

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the Key Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret purge

Permanently deletes the specified secret.

The purge deleted secret operation removes the secret permanently, without the possibility of recovery. This operation can only be enabled on a soft-delete enabled vault. This operation requires the secrets/purge permission.

az keyvault secret purge [--id]
                         [--name]
                         [--vault-name]

Optional Parameters

--id

The recovery id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret recover

Recovers the deleted secret to the latest version.

Recovers the deleted secret in the specified vault. This operation can only be performed on a soft-delete enabled vault. This operation requires the secrets/recover permission.

az keyvault secret recover [--id]
                           [--name]
                           [--vault-name]

Optional Parameters

--id

The recovery id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret restore

Restores a backed up secret to a vault.

Restores a backed up secret, and all its versions, to a vault. This operation requires the secrets/restore permission.

az keyvault secret restore --file
                           --vault-name

Required Parameters

--file -f

File to receive the secret contents.

--vault-name

Name of the Vault.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret set

Create a secret (if one doesn't exist) or update a secret in a KeyVault.

az keyvault secret set --name
                       --vault-name
                       [--content-type]
                       [--disabled {false, true}]
                       [--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
                       [--expires]
                       [--file]
                       [--not-before]
                       [--tags]
                       [--value]

Examples

Create a secret (if one doesn't exist) or update a secret in a KeyVault.

az keyvault secret set --name MySecretName --vault-name MyKeyVault --value MyVault

Create a secret (if one doesn't exist) or update a secret in a KeyVault through a file.

az keyvault secret set --name MySecretName --vault-name MyKeyVault --file /path/to/file --encoding MyEncoding

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the Vault.

Optional Parameters

--content-type --description

Description of the secret contents (e.g. password, connection string, etc).

--disabled

Create secret in disabled state.

Accepted values: false, true
--encoding -e

Source file encoding. The value is saved as a tag (file-encoding=<val>) and used during download to automatically encode the resulting file.

Accepted values: ascii, base64, hex, utf-16be, utf-16le, utf-8
Default value: utf-8
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--file -f

Source file for secret. Use in conjunction with '--encoding'.

--not-before

Secret not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--value

Plain text secret value. Cannot be used with '--file' or '--encoding'.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret set-attributes

Updates the attributes associated with a specified secret in a given key vault.

The UPDATE operation changes specified attributes of an existing stored secret. Attributes that are not specified in the request are left unchanged. The value of a secret itself cannot be changed. This operation requires the secrets/set permission.

az keyvault secret set-attributes [--content-type]
                                  [--enabled {false, true}]
                                  [--expires]
                                  [--id]
                                  [--name]
                                  [--not-before]
                                  [--tags]
                                  [--vault-name]
                                  [--version]

Optional Parameters

--content-type

Type of the secret value such as a password.

--enabled

Enable the secret.

Accepted values: false, true
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--not-before

Secret not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--vault-name

Name of the Key Vault. Required if --id is not specified.

--version -v

The secret version. If omitted, uses the latest version.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret show

Get a specified secret from a given key vault.

The GET operation is applicable to any secret stored in Azure Key Vault. This operation requires the secrets/get permission.

az keyvault secret show [--id]
                        [--name]
                        [--vault-name]
                        [--version]

Optional Parameters

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the Key Vault. Required if --id is not specified.

--version -v

The secret version. If omitted, uses the latest version.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault secret show-deleted

Gets the specified deleted secret.

The Get Deleted Secret operation returns the specified deleted secret along with its attributes. This operation requires the secrets/get permission.

az keyvault secret show-deleted [--id]
                                [--name]
                                [--vault-name]

Optional Parameters

--id

The recovery id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the Vault. Required if --id is not specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.