Key Vault secrets - az keyvault secret

Manage secrets.

Commands

az keyvault secret backup Requests that a backup of the specified secret be downloaded to the client.
az keyvault secret delete Deletes a secret from a specified key vault.
az keyvault secret download Download a secret from a KeyVault.
az keyvault secret list List secrets in a specified key vault.
az keyvault secret list-deleted List deleted secrets in the specified vault.
az keyvault secret list-versions List the versions of the specified secret.
az keyvault secret purge Permanently deletes the specified secret.
az keyvault secret recover Recovers the deleted secret back to its current version under /secrets.
az keyvault secret restore
az keyvault secret set Sets a secret in a specified key vault.
az keyvault secret set-attributes Updates the attributes associated with a specified secret in a given key vault.
az keyvault secret show Get a specified secret from a given key vault.
az keyvault secret show-deleted Retrieves the deleted secret information plus its attributes.

az keyvault secret backup

Authorization: requires the secrets/backup permission.

az keyvault secret backup --file-path
--name
--vault-name

Required Parameters

--file-path
--name -n

Name of the secret.

--vault-name

Name of the key vault.

az keyvault secret delete

The DELETE operation applies to any secret stored in Azure Key Vault. DELETE cannot be applied to an individual version of a secret.

az keyvault secret delete --name
--vault-name

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.

az keyvault secret download

Download a secret from a KeyVault.

az keyvault secret download --file
--name
--vault-name
[--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
[--version]

Required Parameters

--file -f

File to receive the secret contents.

--name -n

Name of the secret.

--vault-name

Name of the key vault.

Optional Parameters

--encoding -e

Encoding of the destination file. By default, will look for the 'file-encoding' tag on the secret. Otherwise will assume 'utf-8'.

accepted values: ascii, base64, hex, utf-16be, utf-16le, utf-8
--version -v

The secret version. If omitted, uses the latest version.

az keyvault secret list

The LIST operation is applicable to the entire vault, however only the base secret identifier and attributes are provided in the response. Individual secret versions are not listed in the response.

az keyvault secret list --vault-name
[--maxresults]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault secret list-deleted

Authorization: requires the secrets/list permission.

az keyvault secret list-deleted --vault-name
[--maxresults]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault secret list-versions

The LIST VERSIONS operation can be applied to all versions having the same secret name in the same key vault. The full secret identifier and attributes are provided in the response. No values are returned for the secrets and only current versions of a secret are listed.

az keyvault secret list-versions --name
--vault-name
[--maxresults]

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault secret purge

Aka purges the secret. Authorization: requires the secrets/purge permission.

az keyvault secret purge --name
--vault-name

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.

az keyvault secret recover

Authorization: requires the secrets/recover permission.

az keyvault secret recover --name
--vault-name

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.

az keyvault secret restore

az keyvault secret restore --file-path
--vault-name

Required Parameters

--file-path
--vault-name

Name of the key vault.

az keyvault secret set

The SET operation adds a secret to the Azure Key Vault. If the named secret already exists, Azure Key Vault creates a new version of that secret.

az keyvault secret set --name
--vault-name
[--description]
[--disabled {false, true}]
[--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
[--expires]
[--file]
[--not-before]
[--tags]
[--value]

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.

Optional Parameters

--description

Description of the secret contents (e.g. password, connection string, etc).

--disabled

Create secret in disabled state.

accepted values: false, true
--encoding -e

Source file encoding. The value is saved as a tag (file-encoding=) and used during download to automtically encode the resulting file.

accepted values: ascii, base64, hex, utf-16be, utf-16le, utf-8
default value: utf-8
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--file -f

Source file for secret. Use in conjunction with '--encoding'.

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--tags

Space separated tags in 'key[=value]' format. Use "" to clear existing tags.

--value

Plain text secret value. Cannot be used with '--file' or '--encoding'.

az keyvault secret set-attributes

The UPDATE operation changes specified attributes of an existing stored secret. Attributes that are not specified in the request are left unchanged. The value of a secret itself cannot be changed.

az keyvault secret set-attributes --name
--vault-name
[--content-type]
[--enabled {false, true}]
[--expires]
[--not-before]
[--tags]
[--version]

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.

Optional Parameters

--content-type

Type of the secret value such as a password.

--enabled

Enable the secret.

accepted values: false, true
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--tags

Space separated tags in 'key[=value]' format. Use "" to clear existing tags.

--version -v

The secret version. If omitted, uses the latest version.

az keyvault secret show

The GET operation is applicable to any secret stored in Azure Key Vault.

az keyvault secret show --name
--vault-name
[--version]

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.

Optional Parameters

--version -v

The secret version. If omitted, uses the latest version.

az keyvault secret show-deleted

Authorization: requires the secrets/get permission.

az keyvault secret show-deleted --name
--vault-name

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.