az keyvault secret

Manage secrets.

Commands

az keyvault secret backup

Backs up the specified secret.

az keyvault secret delete

Deletes a secret from a specified key vault.

az keyvault secret download

Download a secret from a KeyVault.

az keyvault secret list

List secrets in a specified key vault.

az keyvault secret list-deleted

Lists deleted secrets for the specified vault.

az keyvault secret list-versions

List all versions of the specified secret.

az keyvault secret purge

Permanently deletes the specified secret.

az keyvault secret recover

Recovers the deleted secret to the latest version.

az keyvault secret restore

Restores a backed up secret to a vault.

az keyvault secret set

Create a secret (if one doesn't exist) or update a secret in a KeyVault.

az keyvault secret set-attributes

Updates the attributes associated with a specified secret in a given key vault.

az keyvault secret show

Get a specified secret from a given key vault.

az keyvault secret show-deleted

Gets the specified deleted secret.

az keyvault secret backup

Backs up the specified secret.

Requests that a backup of the specified secret be downloaded to the client. All versions of the secret will be downloaded. This operation requires the secrets/backup permission.

az keyvault secret backup --file-path
                          [--id]
                          [--name]
                          [--vault-name]

Required Parameters

--file-path

Optional Parameters

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault secret delete

Deletes a secret from a specified key vault.

The DELETE operation applies to any secret stored in Azure Key Vault. DELETE cannot be applied to an individual version of a secret. This operation requires the secrets/delete permission.

az keyvault secret delete [--id]
                          [--name]
                          [--vault-name]

Optional Parameters

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault secret download

Download a secret from a KeyVault.

az keyvault secret download --file
                            [--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
                            [--id]
                            [--name]
                            [--vault-name]
                            [--version]

Required Parameters

--file -f

File to receive the secret contents.

Optional Parameters

--encoding -e

Encoding of the destination file. By default, will look for the 'file-encoding' tag on the secret. Otherwise will assume 'utf-8'.

accepted values: ascii, base64, hex, utf-16be, utf-16le, utf-8
--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

--version -v

The secret version. If omitted, uses the latest version.

az keyvault secret list

List secrets in a specified key vault.

The Get Secrets operation is applicable to the entire vault. However, only the base secret identifier and its attributes are provided in the response. Individual secret versions are not listed in the response. This operation requires the secrets/list permission.

az keyvault secret list --vault-name
                        [--maxresults]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

az keyvault secret list-deleted

Lists deleted secrets for the specified vault.

The Get Deleted Secrets operation returns the secrets that have been deleted for a vault enabled for soft-delete. This operation requires the secrets/list permission.

az keyvault secret list-deleted --vault-name
                                [--maxresults]

Required Parameters

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

az keyvault secret list-versions

List all versions of the specified secret.

The full secret identifier and attributes are provided in the response. No values are returned for the secrets. This operations requires the secrets/list permission.

az keyvault secret list-versions --name
                                 --vault-name
                                 [--maxresults]

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.

Optional Parameters

--maxresults

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

az keyvault secret purge

Permanently deletes the specified secret.

The purge deleted secret operation removes the secret permanently, without the possibility of recovery. This operation can only be enabled on a soft-delete enabled vault. This operation requires the secrets/purge permission.

az keyvault secret purge [--id]
                         [--name]
                         [--vault-name]

Optional Parameters

--id

The recovery id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault secret recover

Recovers the deleted secret to the latest version.

Recovers the deleted secret in the specified vault. This operation can only be performed on a soft-delete enabled vault. This operation requires the secrets/recover permission.

az keyvault secret recover [--id]
                           [--name]
                           [--vault-name]

Optional Parameters

--id

The recovery id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

az keyvault secret restore

Restores a backed up secret to a vault.

Restores a backed up secret, and all its versions, to a vault. This operation requires the secrets/restore permission.

az keyvault secret restore --file-path
                           --vault-name

Required Parameters

--file-path
--vault-name

Name of the key vault.

az keyvault secret set

Create a secret (if one doesn't exist) or update a secret in a KeyVault.

az keyvault secret set --name
                       --vault-name
                       [--description]
                       [--disabled {false, true}]
                       [--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
                       [--expires]
                       [--file]
                       [--not-before]
                       [--tags]
                       [--value]

Required Parameters

--name -n

Name of the secret.

--vault-name

Name of the key vault.

Optional Parameters

--description

Description of the secret contents (e.g. password, connection string, etc).

--disabled

Create secret in disabled state.

accepted values: false, true
--encoding -e

Source file encoding. The value is saved as a tag (file-encoding=<val>) and used during download to automatically encode the resulting file.

accepted values: ascii, base64, hex, utf-16be, utf-16le, utf-8
default value: utf-8
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--file -f

Source file for secret. Use in conjunction with '--encoding'.

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--value

Plain text secret value. Cannot be used with '--file' or '--encoding'.

az keyvault secret set-attributes

Updates the attributes associated with a specified secret in a given key vault.

The UPDATE operation changes specified attributes of an existing stored secret. Attributes that are not specified in the request are left unchanged. The value of a secret itself cannot be changed. This operation requires the secrets/set permission.

az keyvault secret set-attributes [--content-type]
                                  [--enabled {false, true}]
                                  [--expires]
                                  [--id]
                                  [--name]
                                  [--not-before]
                                  [--tags]
                                  [--vault-name]
                                  [--version]

Optional Parameters

--content-type

Type of the secret value such as a password.

--enabled

Enable the secret.

accepted values: false, true
--expires

Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--not-before

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--vault-name

Name of the key vault. Required if --id is not specified.

--version -v

The secret version. If omitted, uses the latest version.

az keyvault secret show

Get a specified secret from a given key vault.

The GET operation is applicable to any secret stored in Azure Key Vault. This operation requires the secrets/get permission.

az keyvault secret show [--id]
                        [--name]
                        [--vault-name]
                        [--version]

Optional Parameters

--id

Id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.

--version -v

The secret version. If omitted, uses the latest version.

az keyvault secret show-deleted

Gets the specified deleted secret.

The Get Deleted Secret operation returns the specified deleted secret along with its attributes. This operation requires the secrets/get permission.

az keyvault secret show-deleted [--id]
                                [--name]
                                [--vault-name]

Optional Parameters

--id

The recovery id of the secret. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the secret. Required if --id is not specified.

--vault-name

Name of the key vault. Required if --id is not specified.