Quickstart: Set and retrieve a secret from Azure Key Vault using PowerShell
This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.
Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault, you may review the Overview. In this quickstart, you use PowerShell to create a key vault. You then store a secret in the newly created vault.
If you don't have an Azure subscription, create a free account before you begin.
Use Azure Cloud Shell
Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. Cloud Shell lets you use either
PowerShell to work with Azure services. You can use the Cloud Shell pre-installed commands to run the code in this article without having to install anything on your local environment.
To launch Azure Cloud Shell:
|Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell.|
|Go to https://shell.azure.com or select the Launch Cloud Shell button to open Cloud Shell in your browser.|
|Select the Cloud Shell button on the top-right menu bar in the Azure portal.|
To run the code in this article in Azure Cloud Shell:
- Open Cloud Shell.
- Select the Copy button on a code block to copy the code.
- Paste the code into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS.
- Press Enter to run the code.
If you choose to install and use PowerShell locally, this tutorial requires Azure PowerShell module version 1.0.0 or later. Type
$PSVersionTable.PSVersion to find the version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run
Login-AzAccount to create a connection with Azure.
Create a resource group
Create an Azure resource group with New-AzResourceGroup. A resource group is a logical container into which Azure resources are deployed and managed.
New-AzResourceGroup -Name ContosoResourceGroup -Location EastUS
Create a Key Vault
Next you create a Key Vault. When doing this step, you need some information:
Although we use “Contoso KeyVault2” as the name for our Key Vault throughout this quickstart, you must use a unique name.
- Vault name Contoso-Vault2.
- Resource group name ContosoResourceGroup.
- Location East US.
New-AzKeyVault -Name 'Contoso-Vault2' -ResourceGroupName 'ContosoResourceGroup' -Location 'East US'
The output of this cmdlet shows properties of the newly created key vault. Take note of the two properties listed below:
- Vault Name: In the example that is Contoso-Vault2. You will use this name for other Key Vault cmdlets.
- Vault URI: In this example that is https://contosokeyvault.vault.azure.net/. Applications that use your vault through its REST API must use this URI.
After vault creation your Azure account is the only account allowed to do anything on this new vault.
Adding a secret to Key Vault
To add a secret to the vault, you just need to take a couple of steps. In this case, you add a password that could be used by an application. The password is called ExamplePassword and stores the value of hVFkk965BuUv in it.
First convert the value of hVFkk965BuUv to a secure string by typing:
$secretvalue = ConvertTo-SecureString 'hVFkk965BuUv' -AsPlainText -Force
Then, type the PowerShell commands below to create a secret in Key Vault called ExamplePassword with the value hVFkk965BuUv :
$secret = Set-AzKeyVaultSecret -VaultName 'ContosoKeyVault' -Name 'ExamplePassword' -SecretValue $secretvalue
To view the value contained in the secret as plain text:
(Get-AzKeyVaultSecret -vaultName "Contosokeyvault" -name "ExamplePassword").SecretValueText
Now, you have created a Key Vault, stored a secret, and retrieved it.
Clean up resources
Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with other quickstarts and tutorials, you may want to leave these resources in place.
When no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group, Key Vault, and all related resources.
Remove-AzResourceGroup -Name ContosoResourceGroup
In this quickstart, you have created a Key Vault and stored a software key in it. To learn more about Key Vault and how you can use it with your applications continue to the tutorial for web applications working with Key Vault.
To learn how to read a secret from Key Vault from a web application using managed identities for Azure resources, continue with the following tutorial