# Secrets in Key Vault

You can manage secrets in [Azure Key Vault](https://docs.microsoft.com/azure/key-vault/secrets/about-secrets) using the [Azure CLI](https://aka.ms/azure-cli). The CLI is powerful cross-platform tool to manage many different types of resources in Azure including Key Vault secrets.

In this sample, we'll create a Key Vault and manage a secret in that vault.

## Creating a Key Vault

First you'll need to authenticate to Azure:

In [1]:
az login

[33mTo sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code FKTRXU3U5 to authenticate.[0m
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "96be4b7a-defb-4dc2-a31f-49ee6145d5ab",
    "id": "c649122d-c5c8-40b0-b95c-e09da8dbfdf0",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Windows Azure MSDN - Visual Studio Ultimate",
    "state": "Enabled",
    "tenantId": "96be4b7a-defb-4dc2-a31f-49ee6145d5ab",
    "user": {
      "name": "heaths@outlook.com",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "96be4b7a-defb-4dc2-a31f-49ee6145d5ab",
    "id": "22f692c2-e192-4019-b0f8-884cefc0f1a1",
    "isDefault": false,
    "managedByTenants": [],
    "name": "Visual Studio Enterprise",
    "state": "Enabled",
    "tenantId": "96be4b7a-defb-4dc2-a31f-49ee6145d5ab",
    "user": {
      "name": "heaths@outlook.com",
      "type": "user"
    }
  }
]
[0m

Next you'll create a resource group and create a vault within that resource group.

In [4]:
az group create -g rg-isample-keyvault -l westus2
az keyvault create -g rg-isample-keyvault -l westus2 -n isample-keyvault

{
  "id": "/subscriptions/c649122d-c5c8-40b0-b95c-e09da8dbfdf0/resourceGroups/rg-isample-keyvault",
  "location": "westus2",
  "managedBy": null,
  "name": "rg-isample-keyvault",
  "properties": {
    "provisioningState": "Succeeded"
  },
  "tags": null,
  "type": "Microsoft.Resources/resourceGroups"
}
{[K - Finished ..g ..
  "id": "/subscriptions/c649122d-c5c8-40b0-b95c-e09da8dbfdf0/resourceGroups/rg-isample-keyvault/providers/Microsoft.KeyVault/vaults/isample-keyvault",
  "location": "westus2",
  "name": "isample-keyvault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "3399e42e-bb76-4cb4-b564-e68e8a1df8cd",
        "permissions": {
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
         

## Creating a secret

To create a secret, simply specify a name and value:

In [6]:
az keyvault secret set --vault-name isample-keyvault -n secret-name --value "secret value"

{
  "attributes": {
    "created": "2020-09-09T07:41:38+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2020-09-09T07:41:38+00:00"
  },
  "contentType": null,
  "id": "https://isample-keyvault.vault.azure.net/secrets/secret-name/93ab80eb955244869caf65811125d9c8",
  "kid": null,
  "managed": null,
  "name": "secret-name",
  "tags": {
    "file-encoding": "utf-8"
  },
  "value": "secret value"
}
[0m



## Updating a secret

Updating a secret actually creates a new version. Secrets are immutable, and you can retrieve past version of them.

In [7]:
az keyvault secret set --vault-name isample-keyvault -n secret-name --value "new secret value"

{
  "attributes": {
    "created": "2020-09-09T07:43:28+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2020-09-09T07:43:28+00:00"
  },
  "contentType": null,
  "id": "https://isample-keyvault.vault.azure.net/secrets/secret-name/fe1f4779d8574ee680a1d07ed75434e1",
  "kid": null,
  "managed": null,
  "name": "secret-name",
  "tags": {
    "file-encoding": "utf-8"
  },
  "value": "new secret value"
}
[0m

Notice that the `id` changed - specifically the path segment after the secret name. Each new chnage to the secret creates a new version. For this reason, the full secret ID including the version is used for cryptographic operations so that the right value is always used.

## Deleting secrets

To delete a secret, simply run:

In [8]:
az keyvault secret delete --vault-name isample-keyvault -n secret-name

https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview[39m
{
  "attributes": {
    "created": "2020-09-09T07:43:28+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2020-09-09T07:43:28+00:00"
  },
  "contentType": null,
  "deletedDate": "2020-09-09T07:46:11+00:00",
  "id": "https://isample-keyvault.vault.azure.net/secrets/secret-name/fe1f4779d8574ee680a1d07ed75434e1",
  "kid": null,
  "managed": null,
  "name": "secret-name",
  "recoveryId": "https://isample-keyvault.vault.azure.net/deletedsecrets/secret-name",
  "scheduledPurgeDate": "2020-12-08T07:46:11+00:00",
  "tags": {
    "file-encoding": "utf-8"
  },
  "value": null
}
[0m

Because soft delete is enabled, we have to purge the secret before we can create a new one with the same name. You could also recover this secret any time before it's automatically purged (default is 90 days).

In [9]:
az keyvault secret purge --id https://isample-keyvault.vault.azure.net/deletedsecrets/secret-name

[91mThe user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=3399e42e-bb76-4cb4-b564-e68e8a1df8cd;numgroups=1;iss=https://sts.windows.net/96be4b7a-defb-4dc2-a31f-49ee6145d5ab/' does not have secrets purge permission on key vault 'isample-keyvault;location=westus2'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287[0m
[0m

: 1

Here we use the `recoveryId` to purge the secret and all its versions.

## Links

* [About Azure Key Vault secrets](https://docs.microsoft.com/azure/key-vault/secrets/about-secrets)