1

With Azure CLI one uses
az keyvault secret show
to read the secret value.

How is it done with Azure Powershell/Az.KeyVault?

I have tried GetAzKeyVaultSecret but it returns the record without the secret value.

LosManos
  • 7,195
  • 6
  • 56
  • 107
  • I think you mean `Az Cli` rather than `AzureRM` ? – Thomas Aug 30 '21 at 19:54
  • You are looking for this command: `Get-AzKeyVaultSecret` https://learn.microsoft.com/en-us/powershell/module/az.keyvault/get-azkeyvaultsecret?view=azps-6.3.0. – Thomas Aug 30 '21 at 19:55
  • 1
    You need to use the `-AsPlainText` argument https://learn.microsoft.com/en-us/powershell/module/az.keyvault/get-azkeyvaultsecret?view=azps-6.3.0#example-5--get-the-plain-text-value-of-the-current-version-of-a-specific-secret – Thomas Aug 30 '21 at 20:01
  • @Thomas Please write your comment as an answer. Also add that `-Name` or similar must be present because just `Get-AzKeyVaultSecret -VaultName vaultname -AsPlainText` does not work; it cannot output a list of secretvalues. – LosManos Aug 31 '21 at 06:12
  • LosManos, good to here that it worked :-) @kobulloc wrote a nice answer so I don't think I need to write another one. Just happy to help :-) – Thomas Aug 31 '21 at 06:32

1 Answers1

5

Get-AzKeyVaultSecret in the Azure Az PowerShell module is the equivalent of az keyvault secret show in the Azure CLI:

PowerShell Az Module

$keyVaultValue = Get-AzKeyVaultSecret -VaultName "kobulloc-keyvaultAZPS" -Name "ExampleAZPSPassword"
$keyVaultValue.SecretValue | ConvertFrom-SecureString -AsPlainText

enter image description here

CLI

az keyvault secret show --name "ExampleCLIPassword" --vault-name "kobulloc-keyvaultCLI" --query "value"

enter image description here

References:

kobulloc
  • 251
  • 1
  • 3
  • `Get-AzKeyVaultSecret -VaultName vaultname -AsPlainText -Name secretname` is enough, no need for `ConvertFrom-SecureString`. – LosManos Aug 31 '21 at 06:38
  • `-AsPlainText` seems to be ignored when listing secrets. – LosManos Aug 31 '21 at 06:39
  • To get all secretvalues for a subset of secrets: `Get-AzKeyVaultSecret -VaultName vaultname | Where-Object {$_.Name -like "*cosmos*"} | Select-Object -Property Name, @{ label='SecretValue'; expression={Get-AzKeyVaultSecret -VaultName vaultname -Name $_.Name -AsPlainText} }` This way it we can list every secret "having to do with cosmos" and, for instance, verify they are all using the same key. – LosManos Aug 31 '21 at 07:48
  • this did not work for me, this did: `$keyVaultValue = Get-AzKeyVaultSecret -VaultName "kobulloc-keyvaultAZPS" -Name "ExampleAZPSPassword" -AsPlainText` – Ricardo Rodrigues May 17 '22 at 14:05