Azure Key Vault is to applications in Azure what services like LastPass and applications like KeePass deliver to end users: a secure, centralized key/secret management system. Key Vault has been designed to be used primarily programmatically by Azure based applications and infrastructure resources such as VMs, storage etc. – however, it’s not uncommon that teams working together use Azure Key Vault for managing a shared secret repository much like a consumer would use LastPass – so secrets don’t end up in Evernote, OneNote etc.
Here are a few quick pointers on how to get you started with Key Vault using the Azure CLI client.
Log in with your Azure CLI. Set the active account to the subscription ID that hosts the vault you want to access.
This sets the secret
Private-RSA in vault
Foo-Vault using the contents of
~/.ssh/id_rsa as the secret’s value:
az keyvault secret set --vault-name 'Foo-Vault' -n 'Private-RSA' -f '~/.ssh/id_rsa'
If you want to set a secret from something other than a file, you can supply its value at the command line with
--value aValue. Be mindful that this is a very bad practice as your secret will now be part of your shell command line history. When using the
--value parameter, supply the secret indirectly, e.g. through an environment variable or the computed output of some other binary.
This retrieves the JSON response object for secret
Private-RSA in vault
az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA'
If you’d rather only get the actual secret value, you have to parse that JSON property from the response, e.g. using
az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value
jq can be downloaded here.
Azure Key Vault to clipboard
You can copy a secret’s value directly to your clipboard.
az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value | Set-Clipboard
Linux BASH (requires xclip in $PATH):
az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value | xclip
Mac OS X:
az keyvault secret show --vault-name 'Foo-Vault' --name 'Private-RSA' | jq -r .value | pbcopy
Azure Key Vault Explorer
On Windows, you can use Azure Key Vault Explorer .