az keyvault secret

Manage secrets.

Commands

az keyvault secret backup Backs up the specified secret.
az keyvault secret delete Deletes a secret from a specified key vault.
az keyvault secret download Download a secret from a KeyVault.
az keyvault secret list List secrets in a specified key vault.
az keyvault secret list-deleted Lists deleted secrets for the specified vault.
az keyvault secret list-versions List all versions of the specified secret.
az keyvault secret purge Permanently deletes the specified secret.
az keyvault secret recover Recovers the deleted secret to the latest version.
az keyvault secret restore Restores a backed up secret to a vault.
az keyvault secret set Create a secret (if one doesn't exist) or update a secret in a KeyVault.
az keyvault secret set-attributes Updates the attributes associated with a specified secret in a given key vault.
az keyvault secret show Get a specified secret from a given key vault.
az keyvault secret show-deleted Gets the specified deleted secret.

az keyvault secret backup

Backs up the specified secret.

az keyvault secret backup --file
[--id]
[--name]
[--subscription]
[--vault-name]

Required Parameters

--file -f

File to receive the secret contents.

Optional Parameters

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault secret delete

Deletes a secret from a specified key vault.

az keyvault secret delete [--id]
[--name]
[--subscription]
[--vault-name]

Optional Parameters

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault secret download

Download a secret from a KeyVault.

az keyvault secret download --file
[--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
[--id]
[--name]
[--subscription]
[--vault-name]
[--version]

Required Parameters

--file -f

File to receive the secret contents.

Optional Parameters

--encoding -e

Encoding of the destination file. By default, will look for the 'file-encoding' tag on the secret. Otherwise will assume 'utf-8'.

accepted values: ascii, base64, hex, utf-16be, utf-16le, utf-8
--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

--version -v

The secret version. If omitted, uses the latest version.

az keyvault secret list

List secrets in a specified key vault.

az keyvault secret list --vault-name
[--maxresults]
[--subscription]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault secret list-deleted

Lists deleted secrets for the specified vault.

az keyvault secret list-deleted --vault-name
[--maxresults]
[--subscription]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault secret list-versions

List all versions of the specified secret.

az keyvault secret list-versions --name
--vault-name
[--maxresults]
[--subscription]

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault secret purge

Permanently deletes the specified secret.

az keyvault secret purge [--id]
[--name]
[--subscription]
[--vault-name]

Optional Parameters

--id

The recovery id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault secret recover

Recovers the deleted secret to the latest version.

az keyvault secret recover [--id]
[--name]
[--subscription]
[--vault-name]

Optional Parameters

--id

The recovery id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault secret restore

Restores a backed up secret to a vault.

az keyvault secret restore --file
--vault-name
[--subscription]

Required Parameters

--file -f

File to receive the secret contents.

--vault-name

Name of the key vault.

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault secret set

Create a secret (if one doesn't exist) or update a secret in a KeyVault.

az keyvault secret set --name
--vault-name
[--description]
[--disabled {false, true}]
[--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
[--expires]
[--file]
[--not-before]
[--subscription]
[--tags]
[--value]

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.

Optional Parameters

--description

Description of the secret contents (e.g. password, connection string, etc).

--disabled

Create secret in disabled state.

accepted values: false, true
--encoding -e

Source file encoding. The value is saved as a tag (file-encoding=<val>) and used during download to automatically encode the resulting file.

accepted values: ascii, base64, hex, utf-16be, utf-16le, utf-8
default value: utf-8
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--file -f

Source file for secret. Use in conjunction with '--encoding'.

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags in 'key[=value]' format. Use "" to clear existing tags.

--value

Plain text secret value. Cannot be used with '--file' or '--encoding'.

az keyvault secret set-attributes

Updates the attributes associated with a specified secret in a given key vault.

az keyvault secret set-attributes [--content-type]
[--enabled {false, true}]
[--expires]
[--id]
[--name]
[--not-before]
[--subscription]
[--tags]
[--vault-name]
[--version]

Optional Parameters

--content-type

Type of the secret value such as a password.

--enabled

Enable the secret.

accepted values: false, true
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags in 'key[=value]' format. Use "" to clear existing tags.

--vault-name

Name of the key vault. Required if --id is not specified.

--version -v

The secret version. If omitted, uses the latest version.

az keyvault secret show

Get a specified secret from a given key vault.

az keyvault secret show [--id]
[--name]
[--subscription]
[--vault-name]
[--version]

Optional Parameters

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.

--version -v

The secret version. If omitted, uses the latest version.

az keyvault secret show-deleted

Gets the specified deleted secret.

az keyvault secret show-deleted [--id]
[--name]
[--subscription]
[--vault-name]

Optional Parameters

--id

The recovery id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--vault-name

Name of the key vault. Required if --id is not specified.