Introduction

When you build applications, you often need to keep passwords, keys, or tokens safe. Storing secrets securely means keeping them hidden and protected from unauthorized access. Azure Key Vault helps you store and manage these secrets safely in the cloud.

When your app needs to use a database password without exposing it in code.

When you want to share API keys securely between team members.

When you need to rotate or update credentials without changing your app code.

When you want to control who can access sensitive information in your cloud environment.

When you want to audit access to secrets for security compliance.

Config File - azure-keyvault-policy.json

azure-keyvault-policy.json

{
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "11111111-1111-1111-1111-111111111111",
        "permissions": {
          "secrets": ["get", "list", "set", "delete"]
        }
      }
    ]
  }
}

This JSON file defines who can access the secrets in the Azure Key Vault. tenantId is your Azure Active Directory tenant, objectId is the user or app allowed to manage secrets, and permissions specify allowed actions like reading or writing secrets.

Commands

This command creates a new Azure Key Vault named 'myExampleVault' in the 'exampleResourceGroup' resource group located in East US. This vault will store your secrets securely.

Terminal

az keyvault create --name myExampleVault --resource-group exampleResourceGroup --location eastus

Expected OutputExpected

{ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/exampleResourceGroup/providers/Microsoft.KeyVault/vaults/myExampleVault", "location": "eastus", "name": "myExampleVault", "properties": { "vaultUri": "https://myExampleVault.vault.azure.net/" }, "resourceGroup": "exampleResourceGroup", "type": "Microsoft.KeyVault/vaults" }

→

--name - Sets the name of the Key Vault.

→

--resource-group - Specifies the Azure resource group.

→

--location - Sets the Azure region for the vault.

This command stores a secret named 'DbPassword' with the value 'S3cureP@ssw0rd' inside the 'myExampleVault' Key Vault. Your app can later retrieve this secret securely.

Terminal

az keyvault secret set --vault-name myExampleVault --name DbPassword --value "S3cureP@ssw0rd"

Expected OutputExpected

{ "id": "https://myExampleVault.vault.azure.net/secrets/DbPassword/xxxxxxxxxxxx", "attributes": { "enabled": true, "created": 1680000000, "updated": 1680000000 } }

→

--vault-name - Specifies which Key Vault to use.

→

--name - Names the secret.

→

--value - Sets the secret's value.

This command retrieves the secret named 'DbPassword' from the 'myExampleVault' Key Vault so you can verify it was stored correctly.

Terminal

az keyvault secret show --vault-name myExampleVault --name DbPassword

Expected OutputExpected

{ "id": "https://myExampleVault.vault.azure.net/secrets/DbPassword/xxxxxxxxxxxx", "attributes": { "enabled": true, "created": 1680000000, "updated": 1680000000 } }

→

--vault-name - Specifies which Key Vault to query.

→

--name - Names the secret to retrieve.

This command deletes the secret named 'DbPassword' from the Key Vault when it is no longer needed or must be rotated.

Terminal

az keyvault secret delete --vault-name myExampleVault --name DbPassword

Expected OutputExpected

{ "recoveryId": "https://myExampleVault.vault.azure.net/deletedsecrets/DbPassword", "deletedDate": 1680000000, "scheduledPurgeDate": 1682592000, "id": "https://myExampleVault.vault.azure.net/secrets/DbPassword/xxxxxxxxxxxx", "attributes": { "enabled": false } }

→

--vault-name - Specifies which Key Vault to modify.

→

--name - Names the secret to delete.

Key Concept

If you remember nothing else from this pattern, remember: Azure Key Vault keeps your secrets safe and separate from your app code, so you never expose sensitive data directly.

Common Mistakes

Storing secrets directly in application code or configuration files.

This exposes sensitive data to anyone who can see the code or config, risking security breaches.

Use Azure Key Vault to store secrets and retrieve them securely at runtime.

Not setting proper access policies for the Key Vault.

Without correct permissions, your app or users cannot access the secrets, causing failures.

Define access policies with correct tenant and object IDs to allow authorized access.

Using weak or guessable secret values.

Weak secrets can be easily cracked, defeating the purpose of secure storage.

Use strong, complex secret values and rotate them regularly.

Summary

Create an Azure Key Vault to store secrets securely.

Add secrets to the vault using the Azure CLI.

Retrieve secrets safely when your app needs them.

Delete or rotate secrets to maintain security.