Azure Key Vault Quickstart

Azure, Key Vault

Azure Key Vault is to applications in Azure what services like LastPass and applications like KeePass deliver to end users: a secure, centralized key/secret management system. Key Vault has been designed to be used primarily programmatically by Azure based applications and infrastructure resources such as VMs, storage etc. – however, it’s not uncommon that teams working together use Azure Key Vault for managing a shared secret repository much like a consumer would use LastPass – so secrets don’t end up in Evernote, OneNote etc.

Here are a few quick pointers on how to get you started with Key Vault using the Azure CLI client.

Log in with your Azure CLI. Set the active account to the subscription ID that hosts the vault you want to access.

This sets the secret Private-RSA in vault Foo-Vault using the contents of ~/.ssh/id_rsa as the secret’s value:

az keyvault secret set --vault-name 'Foo-Vault' -n 'Private-RSA' -f '~/.ssh/id_rsa'

If you want to set a secret from something other than a file, you can supply its value at the command line with --value aValue. Be mindful that this is a very bad practice as your secret will now be part of your shell command line history. When using the --value parameter, supply the secret indirectly, e.g. through an environment variable or the computed output of some other binary.

This retrieves the JSON response object for secret Private-RSA in vault Foo-Vault:

az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA'

If you’d rather only get the actual secret value, you have to parse that JSON property from the response, e.g. using jq:

az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value

jq can be downloaded here.

Azure Key Vault to clipboard

You can copy a secret’s value directly to your clipboard.

Windows Powershell:

az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value | Set-Clipboard

Linux BASH (requires xclip in $PATH):

az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value | xclip

Mac OS X:

az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value | pbcopy

Azure Key Vault Explorer

On Windows, you can use Azure Key Vault Explorer .