Quickstart: Set and retrieve a secret from Azure Key Vault using PowerShell
Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault, you may review the Overview. In this quickstart, you use PowerShell to create a key vault. You then store a secret in the newly created vault.
If you don't have an Azure subscription, create a free account before you begin.
Launch Azure Cloud Shell
The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. Just click the Copy to copy the code, paste it into the Cloud Shell, and then press enter to run it. There are a few ways to launch the Cloud Shell:
|Click Try It in the upper right corner of a code block.|
|Open Cloud Shell in your browser.|
|Click the Cloud Shell button on the menu in the upper right of the Azure portal.|
If you choose to install and use PowerShell locally, this tutorial requires Azure PowerShell module version 5.1.1 or later. Run
Get-Module -ListAvailable AzureRM to find the version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run
Login-AzureRmAccount to create a connection with Azure.
Create a resource group
Create an Azure resource group with New-AzureRmResourceGroup. A resource group is a logical container into which Azure resources are deployed and managed.
New-AzureRmResourceGroup -Name ContosoResourceGroup -Location EastUS
Create a Key Vault
Next you create a Key Vault. When doing this step, you need some information:
Although we use “Contoso KeyVault2” as the name for our Key Vault throughout this quickstart, you must use a unique name.
- Vault name Contoso-Vault2.
- Resource group name ContosoResourceGroup.
- Location East US.
New-AzureRmKeyVault -VaultName 'Contoso-Vault2' -ResourceGroupName 'ContosoResourceGroup' -Location 'East US'
The output of this cmdlet shows properties of the newly created key vault. Take note of the two properties listed below:
- Vault Name: In the example that is Contoso-Vault2. You will use this name for other Key Vault cmdlets.
- Vault URI: In this example that is https://contosokeyvault.vault.azure.net/. Applications that use your vault through its REST API must use this URI.
After vault creation your Azure account is the only account allowed to do anything on this new vault.
Adding a secret to Key Vault
To add a secret to the vault, you just need to take a couple of steps. In this case, you add a password that could be used by an application. The password is called ExamplePassword and stores the value of '''Pa$$w0rd''' in it.
First convert the value of Pa$$w0rd to a secure string by typing:
$secretvalue = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force
Then, type the PowerShell commands below to create a secret in Key Vault called ExamplePassword with the value Pa$$w0rd :
$secret = Set-AzureKeyVaultSecret -VaultName 'ContosoKeyVault' -Name 'ExamplePassword' -SecretValue $secretvalue
To view the value contained in the secret as plain text:
(Get-AzureKeyVaultSecret -vaultName "Contosokeyvault" -name "ExamplePassword").SecretValueText
Now, you have created a Key Vault, stored a secret, and retrieved it.
Clean up resources
Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with other quickstarts and tutorials, you may want to leave these resources in place.
When no longer needed, you can use the Remove-AzureRmResourceGroup command to remove the resource group, Key Vault, and all related resources.
Remove-AzureRmResourceGroup -Name ContosoResourceGroup
In this quickstart, you have created a Key Vault and stored a software key in it. To learn more about Key Vault and how you can use it with your applications continue to the tutorial for web applications working with Key Vault.
To learn how to read a secret from Key Vault from a web application using managed service identities, continue with the following tutorial Configure an Azure web application to read a secret from Key vault.