0
0
Azurecloud~5 mins

Storing keys and certificates in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
When you build apps or services, you often need to keep secrets like keys and certificates safe. Azure Key Vault helps you store these secrets securely so only authorized users and apps can access them.
When you want to keep API keys safe and not hard-code them in your app.
When your app needs to use SSL/TLS certificates securely for encrypted communication.
When you want to control who can access your secrets with permissions.
When you want to rotate keys or certificates without changing your app code.
When you need a central place to manage all your secrets for multiple apps.
Config File - azure-keyvault-policy.json
azure-keyvault-policy.json
{
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "11111111-2222-3333-4444-555555555555",
        "objectId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
        "permissions": {
          "keys": ["get", "list", "create", "delete"],
          "secrets": ["get", "list", "set", "delete"],
          "certificates": ["get", "list", "create", "delete"]
        }
      }
    ]
  }
}

This JSON defines who can access the Key Vault and what they can do.

  • tenantId: Your Azure Active Directory tenant ID.
  • objectId: The user or app allowed to access the vault.
  • permissions: What actions are allowed on keys, secrets, and certificates.
Commands
Create a new Azure Key Vault named 'myKeyVaultExample' in the 'myResourceGroup' resource group located in East US region.
Terminal
az keyvault create --name myKeyVaultExample --resource-group myResourceGroup --location eastus
Expected OutputExpected
{ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myKeyVaultExample", "location": "eastus", "name": "myKeyVaultExample", "properties": { "vaultUri": "https://mykeyvaultexample.vault.azure.net/" }, "resourceGroup": "myResourceGroup", "type": "Microsoft.KeyVault/vaults" }
--name - Sets the name of the Key Vault
--resource-group - Specifies the resource group to create the vault in
--location - Sets the Azure region for the vault
Store a secret named 'ApiKey' with the value '12345-abcde-67890-fghij' in the Key Vault.
Terminal
az keyvault secret set --vault-name myKeyVaultExample --name ApiKey --value "12345-abcde-67890-fghij"
Expected OutputExpected
{ "id": "https://mykeyvaultexample.vault.azure.net/secrets/ApiKey/xxxxxxxxxxxx", "attributes": { "enabled": true, "created": 1680000000, "updated": 1680000000 } }
--vault-name - Specifies which Key Vault to use
--name - Names the secret
--value - Sets the secret's value
Create a new certificate named 'myCertificate' in the Key Vault using the policy defined in the JSON file.
Terminal
az keyvault certificate create --vault-name myKeyVaultExample --name myCertificate --policy @azure-keyvault-policy.json
Expected OutputExpected
{ "id": "https://mykeyvaultexample.vault.azure.net/certificates/myCertificate/xxxxxxxxxxxx", "attributes": { "enabled": true, "created": 1680000000, "updated": 1680000000 }, "policy": { "issuerParameters": { "name": "Self" }, "x509CertificateProperties": { "subject": "CN=myCertificate", "validityInMonths": 12 } } }
--vault-name - Specifies the Key Vault to use
--name - Names the certificate
--policy - Specifies the certificate policy file
Retrieve and display the secret named 'ApiKey' from the Key Vault to verify it was stored correctly.
Terminal
az keyvault secret show --vault-name myKeyVaultExample --name ApiKey
Expected OutputExpected
{ "id": "https://mykeyvaultexample.vault.azure.net/secrets/ApiKey/xxxxxxxxxxxx", "value": "12345-abcde-67890-fghij", "attributes": { "enabled": true, "created": 1680000000, "updated": 1680000000 } }
--vault-name - Specifies the Key Vault to query
--name - Names the secret to retrieve
Key Concept

If you remember nothing else from this pattern, remember: Azure Key Vault safely stores and controls access to your keys, secrets, and certificates so your apps stay secure.

Common Mistakes
Not setting proper access policies for users or apps.
Without permissions, you cannot read or write secrets, causing failures.
Always configure access policies with correct tenant and object IDs and needed permissions.
Hardcoding secrets directly in app code instead of using Key Vault.
This exposes secrets to anyone with code access and makes rotation hard.
Store secrets in Key Vault and fetch them securely at runtime.
Using incorrect vault name or secret name in commands.
Commands fail because the resource does not exist or is misspelled.
Double-check names and spellings before running commands.
Summary
Create an Azure Key Vault to securely store keys, secrets, and certificates.
Use CLI commands to add secrets and certificates to the vault.
Verify stored secrets by retrieving them with CLI commands.