az keyvault

Safeguard and maintain control of keys, secrets, and certificates.

Commands

az keyvault certificate

Manage certificates.

az keyvault certificate contact

Manage contacts for certificate management.

az keyvault certificate contact add

Add a contact to the specified vault to receive notifications of certificate operations.

az keyvault certificate contact delete

Remove a certificate contact from the specified vault.

az keyvault certificate contact list

Lists the certificate contacts for a specified key vault.

az keyvault certificate create

Create a Key Vault certificate.

az keyvault certificate delete

Deletes a certificate from a specified key vault.

az keyvault certificate download

Download the public portion of a Key Vault certificate.

az keyvault certificate get-default-policy

Get the default policy for self-signed certificates.

az keyvault certificate import

Import a certificate into KeyVault.

az keyvault certificate issuer

Manage certificate issuer information.

az keyvault certificate issuer admin

Manage admin information for certificate issuers.

az keyvault certificate issuer admin add

Add admin details for a specified certificate issuer.

az keyvault certificate issuer admin delete

Remove admin details for the specified certificate issuer.

az keyvault certificate issuer admin list

List admins for a specified certificate issuer.

az keyvault certificate issuer create

Create a certificate issuer record.

az keyvault certificate issuer delete

Deletes the specified certificate issuer.

az keyvault certificate issuer list

List certificate issuers for a specified key vault.

az keyvault certificate issuer show

Lists the specified certificate issuer.

az keyvault certificate issuer update

Update a certificate issuer record.

az keyvault certificate list

List certificates in a specified key vault.

az keyvault certificate list-deleted

Lists the deleted certificates in the specified vault currently available for recovery.

az keyvault certificate list-versions

List the versions of a certificate.

az keyvault certificate pending

Manage pending certificate creation operations.

az keyvault certificate pending delete

Deletes the creation operation for a specific certificate.

az keyvault certificate pending merge

Merges a certificate or a certificate chain with a key pair existing on the server.

az keyvault certificate pending show

Gets the creation operation of a certificate.

az keyvault certificate purge

Permanently deletes the specified deleted certificate.

az keyvault certificate recover

Recovers the deleted certificate back to its current version under /certificates.

az keyvault certificate set-attributes

Updates the specified attributes associated with the given certificate.

az keyvault certificate show

Gets information about a certificate.

az keyvault certificate show-deleted

Retrieves information about the specified deleted certificate.

az keyvault create

Create a key vault.

az keyvault delete

Delete a key vault.

az keyvault delete-policy

Delete security policy settings for a Key Vault.

az keyvault key

Manage keys.

az keyvault key backup

Request that a backup of the specified key be downloaded to the client.

az keyvault key create

Create a new key, stores it, then returns key parameters and attributes to the client.

az keyvault key delete

Delete a key of any type from storage in Vault or HSM.

az keyvault key import

Import a private key.

az keyvault key list

List keys in the specified Vault or HSM.

az keyvault key list-deleted

List the deleted keys in the specified Vault or HSM.

az keyvault key list-versions

Retrieves a list of individual key versions with the same key name.

az keyvault key purge

Permanently delete the specified key.

az keyvault key recover

Recover the deleted key to its latest version.

az keyvault key restore

Restore a backed up key to a Vault or HSM.

az keyvault key set-attributes

The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Vault or HSM.

az keyvault key show

Gets the public part of a stored key.

az keyvault key show-deleted

Get the public part of a deleted key.

az keyvault list

List key vaults.

az keyvault list-deleted

Get information about the deleted Vaults or HSMs in a subscription.

az keyvault network-rule

Manage vault network ACLs.

az keyvault network-rule add

Add a network rule to the network ACLs for a Key Vault.

az keyvault network-rule list

Lists the network rules from the network ACLs for a Key Vault.

az keyvault network-rule remove

Removes a network rule from the network ACLs for a Key Vault.

az keyvault purge

Permanently delete the specified Vault or HSM. Aka Purges the deleted Vault or HSM.

az keyvault recover

Recover a key vault.

az keyvault secret

Manage secrets.

az keyvault secret backup

Backs up the specified secret.

az keyvault secret delete

Deletes a secret from a specified key vault.

az keyvault secret download

Download a secret from a KeyVault.

az keyvault secret list

List secrets in a specified key vault.

az keyvault secret list-deleted

Lists deleted secrets for the specified vault.

az keyvault secret list-versions

List all versions of the specified secret.

az keyvault secret purge

Permanently deletes the specified secret.

az keyvault secret recover

Recovers the deleted secret to the latest version.

az keyvault secret restore

Restores a backed up secret to a vault.

az keyvault secret set

Create a secret (if one doesn't exist) or update a secret in a KeyVault.

az keyvault secret set-attributes

Updates the attributes associated with a specified secret in a given key vault.

az keyvault secret show

Get a specified secret from a given key vault.

az keyvault secret show-deleted

Gets the specified deleted secret.

az keyvault set-policy

Update security policy settings for a Key Vault.

az keyvault show

Show details of a key vault.

az keyvault storage

Manage storage accounts.

az keyvault storage add

Creates or updates a new storage account.

az keyvault storage backup

Backs up the specified storage account.

az keyvault storage list

List storage accounts managed by the specified key vault.

az keyvault storage list-deleted

Lists deleted storage accounts for the specified vault.

az keyvault storage purge

Permanently deletes the specified storage account.

az keyvault storage recover

Recovers the deleted storage account.

az keyvault storage regenerate-key

Regenerates the specified key value for the given storage account.

az keyvault storage remove

Remove a Key Vault managed Azure Storage Account and all associated SAS definitions. This operation requires the storage/delete permission.

az keyvault storage restore

Restores a backed up storage account to a vault.

az keyvault storage sas-definition

Manage storage account SAS definitions.

az keyvault storage sas-definition create

Creates or updates a new SAS definition for the specified storage account.

az keyvault storage sas-definition delete

Deletes a SAS definition from a specified storage account.

az keyvault storage sas-definition list

List storage SAS definitions for the given storage account.

az keyvault storage sas-definition list-deleted

Lists deleted SAS definitions for the specified vault and storage account.

az keyvault storage sas-definition recover

Recovers the deleted SAS definition.

az keyvault storage sas-definition show

Gets information about a SAS definition for the specified storage account.

az keyvault storage sas-definition show-deleted

Gets the specified deleted sas definition.

az keyvault storage sas-definition update

Updates the specified attributes associated with the given SAS definition.

az keyvault storage show

Gets information about a specified storage account.

az keyvault storage show-deleted

Gets the specified deleted storage account.

az keyvault storage update

Updates the specified attributes associated with the given storage account.

az keyvault update

Update the properties of a key vault.

az keyvault create

Create a key vault.

Default permissions are created for the current user or service principal unless the --no-self-perms flag is specified.

az keyvault create --name
                   --resource-group
                   [--bypass {AzureServices, None}]
                   [--default-action {Allow, Deny}]
                   [--enable-purge-protection {false, true}]
                   [--enable-soft-delete {false, true}]
                   [--enabled-for-deployment {false, true}]
                   [--enabled-for-disk-encryption {false, true}]
                   [--enabled-for-template-deployment {false, true}]
                   [--location]
                   [--no-self-perms {false, true}]
                   [--sku {premium, standard}]
                   [--tags]

Required Parameters

--name -n

Name of the key vault.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--bypass

Bypass traffic for space-separated uses.

accepted values: AzureServices, None
--default-action

Default action to apply when no rule matches.

accepted values: Allow, Deny
--enable-purge-protection

Prevents manual purging of deleted vault, and all contained entities.

accepted values: false, true
--enable-soft-delete

Enable vault deletion recovery for the vault, and all contained entities.

accepted values: false, true
--enabled-for-deployment

Allow Virtual Machines to retrieve certificates stored as secrets from the vault.

accepted values: false, true
--enabled-for-disk-encryption

Allow Disk Encryption to retrieve secrets from the vault and unwrap keys.

accepted values: false, true
--enabled-for-template-deployment

Allow Resource Manager to retrieve secrets from the vault.

accepted values: false, true
--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--no-self-perms

Don't add permissions for the current user/service principal in the new vault.

accepted values: false, true
--sku

Required. SKU details.

accepted values: premium, standard
default value: standard
--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

az keyvault delete

Delete a key vault.

az keyvault delete --name
                   [--resource-group]

Required Parameters

--name -n

Name of the key vault.

Optional Parameters

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

az keyvault delete-policy

Delete security policy settings for a Key Vault.

az keyvault delete-policy --name
                          [--object-id]
                          [--resource-group]
                          [--spn]
                          [--upn]

Required Parameters

--name -n

Name of the key vault.

Optional Parameters

--object-id

A GUID that identifies the principal that will receive permissions.

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

--spn

Name of a service principal that will receive permissions.

--upn

Name of a user principal that will receive permissions.

az keyvault list

List key vaults.

az keyvault list [--resource-group]

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az keyvault list-deleted

Get information about the deleted Vaults or HSMs in a subscription.

az keyvault list-deleted

az keyvault purge

Permanently delete the specified Vault or HSM. Aka Purges the deleted Vault or HSM.

az keyvault purge --location
                  --name

Required Parameters

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--name -n

Name of the key vault.

az keyvault recover

Recover a key vault.

Recovers a previously deleted key vault for which soft delete was enabled.

az keyvault recover --location
                    --name
                    [--resource-group]

Required Parameters

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--name -n

Name of the key vault.

Optional Parameters

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

az keyvault set-policy

Update security policy settings for a Key Vault.

az keyvault set-policy --name
                       [--certificate-permissions {backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers, update}]
                       [--key-permissions {backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify, wrapKey}]
                       [--object-id]
                       [--resource-group]
                       [--secret-permissions {backup, delete, get, list, purge, recover, restore, set}]
                       [--spn]
                       [--storage-permissions {backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas, update}]
                       [--upn]

Required Parameters

--name -n

Name of the key vault.

Optional Parameters

--certificate-permissions

Space-separated list of certificate permissions to assign.

accepted values: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers, update
--key-permissions

Space-separated list of key permissions to assign.

accepted values: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify, wrapKey
--object-id

A GUID that identifies the principal that will receive permissions.

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

--secret-permissions

Space-separated list of secret permissions to assign.

accepted values: backup, delete, get, list, purge, recover, restore, set
--spn

Name of a service principal that will receive permissions.

--storage-permissions

Space-separated list of storage permissions to assign.

accepted values: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas, update
--upn

Name of a user principal that will receive permissions.

az keyvault show

Show details of a key vault.

az keyvault show --name
                 [--resource-group]

Required Parameters

--name -n

Name of the key vault.

Optional Parameters

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

az keyvault update

Update the properties of a key vault.

az keyvault update --name
                   [--add]
                   [--bypass {AzureServices, None}]
                   [--default-action {Allow, Deny}]
                   [--enable-purge-protection {false, true}]
                   [--enable-soft-delete {false, true}]
                   [--enabled-for-deployment {false, true}]
                   [--enabled-for-disk-encryption {false, true}]
                   [--enabled-for-template-deployment {false, true}]
                   [--force-string]
                   [--remove]
                   [--resource-group]
                   [--set]

Required Parameters

--name -n

Name of the key vault.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--bypass

Bypass traffic for space-separated uses.

accepted values: AzureServices, None
--default-action

Default action to apply when no rule matches.

accepted values: Allow, Deny
--enable-purge-protection

Prevents manual purging of deleted vault, and all contained entities.

accepted values: false, true
--enable-soft-delete

Enable vault deletion recovery for the vault, and all contained entities.

accepted values: false, true
--enabled-for-deployment

Allow Virtual Machines to retrieve certificates stored as secrets from the vault.

accepted values: false, true
--enabled-for-disk-encryption

Allow Disk Encryption to retrieve secrets from the vault and unwrap keys.

accepted values: false, true
--enabled-for-template-deployment

Allow Resource Manager to retrieve secrets from the vault.

accepted values: false, true
--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--resource-group -g

Proceed only if Key Vault belongs to the specified resource group.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.