Quickstart: Set and retrieve a secret from Azure Key Vault using Azure CLI

Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault you may review the Overview. Azure CLI is used to create and manage Azure resources using commands or scripts. In this quickstart, you create a key vault. Once that you have completed that, you will store a secret.

If you don't have an Azure subscription, create a free account before you begin.

Open Azure Cloud Shell

Azure Cloud Shell is an interactive shell environment hosted in Azure and used through your browse. Azure Cloud Shell allows you to use either bash or PowerShell shells to run a variety of tools to work with Azure services. Azure Cloud Shell comes pre-installed with the commands to allow you to run the content of this article without having to install anything on your local environment.

To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code, and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. Pasted text is not automatically executed, so press Enter to run code.

You can launch Azure Cloud Shell with:

Option Example/Link
Select Try It in the upper-right corner of a code block. This doesn't automatically copy text to Cloud Shell. Example of Try It for Azure Cloud Shell
Open Azure Cloud Shell in your browser.
Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal. Cloud Shell button in the Azure portal

If you choose to install and use the CLI locally, this quickstart requires the Azure CLI version 2.0.4 or later. Run az --version to find the version. If you need to install or upgrade, see Install the Azure CLI.

To sign in to Azure using the CLI you can type:

az login

For more information on login options via the CLI take a look at sign in with Azure CLI

Create a resource group

A resource group is a logical container into which Azure resources are deployed and managed. The following example creates a resource group named ContosoResourceGroup in the eastus location.

az group create --name "ContosoResourceGroup" --location eastus

Create a Key Vault

Next you will create a Key Vault in the resource group created in the previous step. You will need to provide some information:

  • For this quickstart we use Contoso-vault2. You must provide a unique name in your testing.
  • Resource group name ContosoResourceGroup.
  • The location East US.
az keyvault create --name "Contoso-Vault2" --resource-group "ContosoResourceGroup" --location eastus

The output of this cmdlet shows properties of the newly created Key Vault. Take note of the two properties listed below:

  • Vault Name: In the example, this is Contoso-Vault2. You will use this name for other Key Vault commands.
  • Vault URI: In the example, this is https://contoso-vault2.vault.azure.net/. Applications that use your vault through its REST API must use this URI.

At this point, your Azure account is the only one authorized to perform any operations on this new vault.

Add a secret to Key Vault

To add a secret to the vault, you just need to take a couple of additional steps. This password could be used by an application. The password will be called ExamplePassword and will store the value of hVFkk965BuUv in it.

Type the commands below to create a secret in Key Vault called ExamplePassword that will store the value hVFkk965BuUv :

az keyvault secret set --vault-name "Contoso-Vault2" --name "ExamplePassword" --value "hVFkk965BuUv"

You can now reference this password that you added to Azure Key Vault by using its URI. Use https://ContosoVault.vault.azure.net/secrets/ExamplePassword to get the current version.

To view the value contained in the secret as plain text:

az keyvault secret show --name "ExamplePassword" --vault-name "Contoso-Vault2"

Now, you have created a Key Vault, stored a secret, and retrieved it.

Clean up resources

Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave these resources in place. When no longer needed, you can use the az group delete command to remove the resource group, and all related resources. You can delete the resources as follows:

az group delete --name ContosoResourceGroup

Next steps

In this quickstart, you have created a Key Vault and stored a secret in it. To learn more about Key Vault and how you can use it with your applications continue to the tutorial for web applications working with Key Vault.

To learn how to read a secret from Key Vault from a web application using managed identities for Azure resources, continue with the following tutorial Configure an Azure web application to read a secret from Key vault