Get-AzKeyVaultSecret can't read secret value in Powershell

Question

I'm not able to read the value of one of my secrets in Key Vault. I'm logged in with my Azure account and I have full permission to the selected Key Vault.

I'm able to retrieve a list of available secrets using the following command:

$keyVaultValue = (Get-AzKeyVaultSecret -VaultName 'name-of-key-vault')

And then see the content when I write:

Write-Output $keyVaultValue

But when I ask for a specific key it just returns null:

$keyVaultValue = (Get-AzKeyVaultSecret -VaultName 'name-of-key-vault' -Name 'my-secret-name').SecretValueText

I've checked the name and subscription ID and everything is correct. I can easily read the value from the portal, but no from powershell on my Windows PC.

Any suggestions?

score 6 · Accepted Answer · answered Jan 21 '21 at 10:40

6

SecretValueText is deprecated, You can use the following syntax the retrieve the value as plain text:

$keyVaultValue = Get-AzKeyVaultSecret -VaultName 'name-of-key-vault' -Name 'my-secret-name'
$keyVaultValue.SecretValue | ConvertFrom-SecureString -AsPlainText

More information and examples can be found here.

answered Jan 21 '21 at 10:40

Amit Baranes

7,398
2
31
53

8

"ConvertFrom-SecureString : A parameter cannot be found that matches parameter name 'AsPlainText'" – johnstaveley Apr 16 '21 at 09:47
'AsPlainText' was added in PowerShell 7.0. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertfrom-securestring – chris Sep 29 '21 at 16:06

score 3 · Answer 2 · edited Sep 13 '21 at 11:07

3

If you want to show all key-vault secrets name and their key values then you can use this in powershell

$secrets=Get-AzKeyVaultSecret -VaultName 'key-vault-name'
$secrets | % {Write-Output "$($_.name) $($(Get-AzKeyVaultSecret -VaultName $_.VaultName -Name $_.Name).SecretValue | ConvertFrom-SecureString -AsPlainText)" }

edited Sep 13 '21 at 11:07

Suraj Rao

29,388
11
94
103

answered Sep 13 '21 at 10:57

khadim hussain

31
1

score 0 · Answer 3 · answered Dec 06 '21 at 18:47

Try using this function:

function GetSecretValue
{
    param(
        [String]$keyvaultName,
        [String]$secretName
    )

    Write-Host "Retrieving secret $secretName from $keyvaultName... " -NoNewline
    if ((Get-Command Get-AzKeyVaultSecret).ParameterSets.Parameters.Name -contains "AsPlainText")
    {
        # Newer Get-AzKeyVaultSecret version requires -AsPlainText parameter 
        $secretValue = Get-AzKeyVaultSecret -VaultName $keyvaultName -Name $secretName -AsPlainText
    }
    else
    {
        $secretValue = (Get-AzKeyVaultSecret -VaultName $keyvaultName -Name $secretName).SecretValueText
    }
    Write-Host "ok"
    return $secretValue
}

Usage example:

$keyVaultValue = GetSecretValue "name-of-key-vault" "my-secret-name"

score 0 · Answer 4 · answered Jun 13 '23 at 11:51

I just wanted to add some more recent and easier ways to achieve this. With the latest versions of Az, you can just add -AsPlainText parameter after the command to get the secret value directly.

Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $SecretName -AsPlainText

Here is a full usage example of getting a certificate from the key vault and saving it as a pfx file using the same cmdlet.

{... Skipping code ...}
$CertificateSecretValue = Get-AzKeyVaultSecret -VaultName $KeyVautlName -Name $CertificateSecretName -AsPlainText

# Decode the base64-encoded PFX
$CertificateSecretBytes = [System.Convert]::FromBase64String($CertificateSecretValue)
[System.IO.File]::WriteAllBytes($PfxCertFilePath, $CertificateSecretBytes)
# {... Skipping code ...}

Get-AzKeyVaultSecret can't read secret value in Powershell

4 Answers4

Linked