Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. It provides secure storage, access control, and auditing capabilities.
Follow these steps to create a Key Vault and add a secret.
# Create a resource group
az group create --name MyResourceGroup --location eastus
# Create the Key Vault
az keyvault create --name MyKeyVault --resource-group MyResourceGroup --location eastus
# Add a secret
az keyvault secret set --vault-name MyKeyVault --name "DbPassword" --value "P@ssw0rd!"
Store and retrieve secrets securely.
# Set a secret
az keyvault secret set --vault-name MyKeyVault --name "ApiKey" --value "abc123"
# Retrieve a secret
az keyvault secret show --vault-name MyKeyVault --name "ApiKey"
Create, import, and manage encryption keys.
# Create an RSA key
az keyvault key create --vault-name MyKeyVault --name "MyRSAKey" --kty RSA --size 2048
# List keys
az keyvault key list --vault-name MyKeyVault
Manage SSL/TLS certificates directly in Key Vault.
# Create a self‑signed certificate
az keyvault certificate create --vault-name MyKeyVault --name "MyCert" --policy "$(az keyvault certificate get-default-policy)"
# Download certificate
az keyvault certificate download --vault-name MyKeyVault --name "MyCert" --file cert.pfx
Control who can perform operations on the vault.
# Grant an application read access to secrets
az keyvault set-policy --name MyKeyVault --spn --secret-permissions get list
# Revoke a user’s permissions
az keyvault delete-policy --name MyKeyVault --upn user@example.com
Enable diagnostic settings to send logs to Azure Monitor, Log Analytics, or Event Hub.
# Enable diagnostics
az monitor diagnostic-settings create \
--name kvDiagnostics \
--resource /subscriptions//resourceGroups/MyResourceGroup/providers/Microsoft.KeyVault/vaults/MyKeyVault \
--logs '[{"category":"AuditEvent","enabled":true}]' \
--metrics '[{"category":"AllMetrics","enabled":true}]' \
--workspace