Key Vault - az keyvault

Safeguard and maintain control of keys, secrets, and certificates.

If you don't have the keyvault component installed, add it with az component update --add keyvault.

Commands

az keyvault certificate Manage certificates.
az keyvault certificate contact Manage contacts for certificate management.
az keyvault certificate contact add Add a contact to the specified vault to receive notifications of certificate operations.
az keyvault certificate contact delete Remove a certificate contact from the specified vault.
az keyvault certificate contact list Lists the certificate contacts for a specified key vault.
az keyvault certificate create Creates a new certificate.
az keyvault certificate delete Deletes a certificate from a specified key vault.
az keyvault certificate download Download a certificate from a KeyVault.
az keyvault certificate get-default-policy Get a default policy for a self-signed certificate.
az keyvault certificate import Import a certificate into KeyVault.
az keyvault certificate issuer Manage certificate issuer information.
az keyvault certificate issuer admin Manage admin information for certificate issuers.
az keyvault certificate issuer admin add Add admin details for a specified certificate issuer.
az keyvault certificate issuer admin delete Remove admin details for the specified certificate issuer.
az keyvault certificate issuer admin list List admins for a specified certificate issuer.
az keyvault certificate issuer create Create a certificate issuer record.
az keyvault certificate issuer delete Deletes the specified certificate issuer.
az keyvault certificate issuer list List certificate issuers for a specified key vault.
az keyvault certificate issuer show Lists the specified certificate issuer.
az keyvault certificate issuer update Update a certificate issuer record.
az keyvault certificate list List certificates in a specified key vault.
az keyvault certificate list-deleted Lists the deleted certificates in the specified vault, currently available for recovery.
az keyvault certificate list-versions List the versions of a certificate.
az keyvault certificate pending Manage pending certificate creation operations.
az keyvault certificate pending delete Deletes the operation for a specified certificate.
az keyvault certificate pending merge Merges a certificate or a certificate chain with a key pair existing on the server.
az keyvault certificate pending show Gets the operation associated with a specified certificate.
az keyvault certificate purge Permanently deletes the specified deleted certificate.
az keyvault certificate recover Recovers the deleted certificate back to its current version under /certificates.
az keyvault certificate set-attributes Updates the specified attributes associated with the given certificate.
az keyvault certificate show Gets information about a specified certificate.
az keyvault certificate show-deleted Retrieves information about the specified deleted certificate.
az keyvault create Create a key vault.
az keyvault delete Delete a key vault.
az keyvault delete-policy Delete security policy settings for a Key Vault.
az keyvault key Manage keys.
az keyvault key backup Requests that a backup of the specified key be downloaded to the client.
az keyvault key create Creates a new key, stores it, then returns key parameters and attributes to the client.
az keyvault key delete Deletes a key of any type from storage in Azure Key Vault.
az keyvault key import Import a private key.
az keyvault key list List keys in the specified vault.
az keyvault key list-deleted List deleted keys in the specified vault.
az keyvault key list-versions Retrieves a list of individual key versions with the same key name.
az keyvault key purge Permanently deletes the specified key.
az keyvault key recover Recovers the deleted key back to its current version under /keys.
az keyvault key restore Restores a backed up key to a vault.
az keyvault key set-attributes The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault.
az keyvault key show Gets the public part of a stored key.
az keyvault key show-deleted Retrieves the deleted key information plus its attributes.
az keyvault list List key vaults.
az keyvault list-deleted Gets information about the deleted vaults in a subscription.
az keyvault purge Permanently deletes the specified vault.
az keyvault recover Recover a key vault.
az keyvault secret Manage secrets.
az keyvault secret backup Requests that a backup of the specified secret be downloaded to the client.
az keyvault secret delete Deletes a secret from a specified key vault.
az keyvault secret download Download a secret from a KeyVault.
az keyvault secret list List secrets in a specified key vault.
az keyvault secret list-deleted List deleted secrets in the specified vault.
az keyvault secret list-versions List the versions of the specified secret.
az keyvault secret purge Permanently deletes the specified secret.
az keyvault secret recover Recovers the deleted secret back to its current version under /secrets.
az keyvault secret restore
az keyvault secret set Sets a secret in a specified key vault.
az keyvault secret set-attributes Updates the attributes associated with a specified secret in a given key vault.
az keyvault secret show Get a specified secret from a given key vault.
az keyvault secret show-deleted Retrieves the deleted secret information plus its attributes.
az keyvault set-policy Update security policy settings for a Key Vault.
az keyvault show Show details of a key vault.
az keyvault update Update the properties of a key vault.

az keyvault create

Default permissions are created for the current user or service principal unless the --no-self-perms flag is specified.

az keyvault create --name
--resource-group
[--enable-soft-delete {false, true}]
[--enabled-for-deployment {false, true}]
[--enabled-for-disk-encryption {false, true}]
[--enabled-for-template-deployment {false, true}]
[--location]
[--no-self-perms {false, true}]
[--sku {premium, standard}]
[--tags]

Required Parameters

--name -n

Name of the key vault.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=.

Optional Parameters

--enable-soft-delete

Enable vault deletion recovery for the vault, and all contained entities.

accepted values: false, true
--enabled-for-deployment

Allow Virtual Machines to retrieve certificates stored as secrets from the vault.

accepted values: false, true
--enabled-for-disk-encryption

Allow Disk Encryption to retrieve secrets from the vault and unwrap keys.

accepted values: false, true
--enabled-for-template-deployment

Allow Resource Manager to retrieve secrets from the vault.

accepted values: false, true
--location -l

Location. You can configure the default location using az configure --defaults location=.

--no-self-perms

Don't add permissions for the current user/service principal in the new vault.

accepted values: false, true
--sku

SKU details.

accepted values: premium, standard
default value: standard
--tags

Space separated tags in 'key[=value]' format. Use "" to clear existing tags.

az keyvault delete

Delete a key vault.

az keyvault delete --name
[--resource-group]

Required Parameters

--name -n

Name of the key vault.

Optional Parameters

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

az keyvault delete-policy

Delete security policy settings for a Key Vault.

az keyvault delete-policy --name
[--object-id]
[--resource-group]
[--spn]
[--upn]

Required Parameters

--name -n

Name of the key vault.

Optional Parameters

--object-id

A GUID that identifies the principal that will receive permissions.

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

--spn

Name of a service principal that will receive permissions.

--upn

Name of a user principal that will receive permissions.

az keyvault list

List key vaults.

az keyvault list [--resource-group]

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=.

az keyvault list-deleted

Gets information about the deleted vaults in a subscription.

az keyvault list-deleted

az keyvault purge

Aka Purges the deleted Azure key vault.

az keyvault purge --location
--name

Required Parameters

--location -l

Location. You can configure the default location using az configure --defaults location=.

--name -n

Name of the key vault.

az keyvault recover

Recovers a previously deleted key vault for which soft delete was enabled.

az keyvault recover --location
--name
[--resource-group]

Required Parameters

--location -l

Location. You can configure the default location using az configure --defaults location=.

--name -n

Name of the key vault.

Optional Parameters

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

az keyvault set-policy

Update security policy settings for a Key Vault.

az keyvault set-policy --name
[--certificate-permissions]
[--key-permissions]
[--object-id]
[--resource-group]
[--secret-permissions]
[--spn]
[--upn]

Required Parameters

--name -n

Name of the key vault.

Optional Parameters

--certificate-permissions

Space separated list. Possible values: get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge.

--key-permissions

Space separated list. Possible values: encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, purge.

--object-id

A GUID that identifies the principal that will receive permissions.

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

--secret-permissions

Space separated list. Possible values: get, list, set, delete, backup, restore, recover, purge.

--spn

Name of a service principal that will receive permissions.

--upn

Name of a user principal that will receive permissions.

az keyvault show

Show details of a key vault.

az keyvault show --name
[--resource-group]

Required Parameters

--name -n

Name of the key vault.

Optional Parameters

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

az keyvault update

Update the properties of a key vault.

az keyvault update --name
[--add]
[--enabled-for-deployment {false, true}]
[--enabled-for-disk-encryption {false, true}]
[--enabled-for-template-deployment {false, true}]
[--remove]
[--resource-group]
[--set]

Required Parameters

--name -n

Name of the key vault.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty .

--enabled-for-deployment

Allow Virtual Machines to retrieve certificates stored as secrets from the vault.

accepted values: false, true
--enabled-for-disk-encryption

Allow Disk Encryption to retrieve secrets from the vault and unwrap keys.

accepted values: false, true
--enabled-for-template-deployment

Allow Resource Manager to retrieve secrets from the vault.

accepted values: false, true
--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.