How to set up Key Vault for virtual machines with the Azure CLI

Applies to: ✔️ Linux VMs ✔️ Flexible scale sets

In the Azure Resource Manager stack, secrets/certificates are modeled as resources that are provided by Key Vault. To learn more about Azure Key Vault, see What is Azure Key Vault? In order for Key Vault to be used with Azure Resource Manager VMs, the EnabledForDeployment property on Key Vault must be set to true. This article shows you how to set up Key Vault for use with Azure virtual machines (VMs) using the Azure CLI.

To perform these steps, you need the latest Azure CLI installed and logged in to an Azure account using az login.

Note

Before you can use Azure CLI in Microsoft Azure operated by 21Vianet, please run az cloud set -n AzureChinaCloud first to change the cloud environment. If you want to switch back to Azure Public Cloud, run az cloud set -n AzureCloud again.

Create a Key Vault

Create a key vault and assign the deployment policy with az keyvault create. The following example creates a key vault named myKeyVault in the myResourceGroup resource group:

az keyvault create -l chinanorth -n myKeyVault -g myResourceGroup --enabled-for-deployment true

Update a Key Vault for use with VMs

Set the deployment policy on an existing key vault with az keyvault update. The following updates the key vault named myKeyVault in the myResourceGroup resource group:

az keyvault update -n myKeyVault -g myResourceGroup --set properties.enabledForDeployment=true

Use templates to set up Key Vault

When you use a template, you need to set the enabledForDeployment property to true for the Key Vault resource as follows:

{
    "type": "Microsoft.KeyVault/vaults",
    "name": "ContosoKeyVault",
    "apiVersion": "2015-06-01",
    "location": "<location-of-key-vault>",
    "properties": {
    "enabledForDeployment": "true",
    ....
    ....
    }
}