Azure Key Vault is to applications in Azure what services like LastPass and applications like KeePass deliver to end users: a secure, centralized key/secret management system. Key Vault has been designed to be used primarily programmatically by Azure based applications and infrastructure resources such as VMs, storage etc. – however, it’s not uncommon that teams working together use Azure Key Vault for managing a shared secret repository much like a consumer would use LastPass – so secrets don’t end up in Evernote, OneNote etc.
Here are a few quick pointers on how to get you started with Key Vault using the Azure CLI client.
Log in with your Azure CLI. Set the active account to the subscription ID that hosts the vault you want to access.
This sets the secret Private-RSA
in vault Foo-Vault
using the contents of ~/.ssh/id_rsa
as the secret’s value:
az keyvault secret set --vault-name 'Foo-Vault' -n 'Private-RSA' -f '~/.ssh/id_rsa'
If you want to set a secret from something other than a file, you can supply its value at the command line with --value aValue
. Be mindful that this is a very bad practice as your secret will now be part of your shell command line history. When using the --value
parameter, supply the secret indirectly, e.g. through an environment variable or the computed output of some other binary.
This retrieves the JSON response object for secret Private-RSA
in vault Foo-Vault
:
az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA'
If you’d rather only get the actual secret value, you have to parse that JSON property from the response, e.g. using jq
:
az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value
jq can be downloaded here.
Azure Key Vault to clipboard
You can copy a secret’s value directly to your clipboard.
Windows Powershell:
az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value | Set-Clipboard
Linux BASH (requires xclip in $PATH):
az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value | xclip
Mac OS X:
az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value | pbcopy
Azure Key Vault Explorer
On Windows, you can use Azure Key Vault Explorer .