Instagram X-twitter
TL-Logo-small
Github X-twitter Linkedin

Retrieving Azure Key Vault secrets with Azure CLI or Batch file with PowerShell

Recent Visitor 348

Administrators out there who have worked with Azure Key Vaults with a substantial amount of Secrets would understand how painful it is to use the portal.azure.com GUI and have to continuously click on the Load more link to display the next set of secrets in the Key Vault. Through my years of working with different clients and different Key Vaults with a large amount of secrets, I’ve compiled a list of Azure CLI commands as well as a batch file to retrieve secrets and would like to share them with this blog post.

Batch File – Does not require Azure CLI

Get Secret

For situations where I do not have Azure CLI installed on a device that I need to either:

  1. Retrieve a secret (when I am dealing with a Key Vault with many secrets)
  2. Test retrieving a secret from an Azure Key Vault (when connectivity troubleshooting)

 

… I use the following batch file that will use native command prompt commands and PowerShell to:

  1. Log in with a Device Code via https://microsoft.com/devicelogin
  2. Retrieve a secret and its properties from a Key Vault

 

The batch file can be found here in my GitHub repo:  https://github.com/terenceluk/Azure/blob/main/Azure%20Key%20Vault/get-secret.bat

**Note that you cannot just copy and paste the contents into a command prompt to execute. You’ll need to create the .bat file and execute it.

The code in the batch file include the following explanation on how to include or not include switches:

:: ========================================================================
:: EXAMPLE CONFIGURATION
:: ========================================================================
:: All defaults
:: get-secret.bat

:: Different key vault only
:: get-secret.bat production-vault
:: get-secret.bat https://prod-vault.vault.azure.net

:: Different key vault and secret
:: get-secret.bat production-vault DatabasePassword
:: get-secret.bat test-vault ApiKey

:: Different key vault, secret, and tenant
:: get-secret.bat production-vault DatabasePassword mycompany.com
:: get-secret.bat prod-vault ApiKey 12345678-1234-1234-1234-123456789012

:: Default vault, different secret and tenant
:: get-secret.bat “” DatabasePassword mycompany.com

:: Default vault and secret, different tenant
:: get-secret.bat “” “” mycompany.com

:: Different vault, default secret, different tenant
:: get-secret.bat production-vault “” mycompany.com

:: Show help
:: get-secret.bat /?
:: get-secret.bat –help
:: ========================================================================

Here is a sample of the output:

Azure CLI

For scenarios where the endpoint I’m using has Azure CLI, the following are commands I use.

Begin by defining variables for the Azure Tenant, the Key Vault Name and the Secret (if we know) we want to retrieve.

$tenant=”xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx”
$keyvaultName=”my-key-vault-name”
$secretToGet=”my-secret-name”

 

Proceed to login while specifying the tenant where the Key Vault resides:
az login –tenant $tenant

 

Use the following command to list all the secrets in the Key Vault displayed in the format of a table:
az keyvault secret list –vault-name $keyvaultName –query “[].{Name:name, Enabled:attributes.enabled, Created:attributes.created, Expires:attributes.expires}” -o table

If you want to search for a secret with a specific string in its name, use the following cmdlet (this example searches any secret with “specificString” in the name):
$secrets = az keyvault secret list –vault-name $keyvaultName | ConvertFrom-Json
$filtered = $secrets | Where-Object { $_.name -like “*specificString*” }
$filtered | Select-Object @{Name=”Name”;Expression={$_.name}},
                        @{Name=”Enabled”;Expression={$_.attributes.enabled}},
                        @{Name=”Created”;Expression={$_.attributes.created}},
                        @{Name=”Expires”;Expression={$_.attributes.expires}} | Format-Table -AutoSize

Now that we know what secrets are available (use the $secretToGet variable to assign the one to retrieve), we can use the following command to retrieve the value of the secret:
az keyvault secret show –vault-name $keyvaultName –name $secretToGet -o table

 

Now to put it all together:
$tenant=”xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx”
$keyvaultName=”my-key-vault-name”
$secretToGet=”my-secret-name”
az login –tenant $tenant
az keyvault secret list –vault-name $keyvaultName –query “[].{Name:name, Enabled:attributes.enabled, Created:attributes.created, Expires:attributes.expires}” -o table
az keyvault secret show –vault-name $keyvaultName –name $secretToGet -o table

 

Other useful commands that output more information are as follows:
# List all secrets in a key vault with their detail in json format
az keyvault secret list –vault-name $keyvaultName

# Get secret value including metadata
az keyvault secret show –vault-name $keyvaultName –name $secretToGet

Hope this helps anyone who may be looking for ways to retrieve secrets and their values without relying on the portal.azure.com GUI.
Back to Blogs

Hello! My name is Terence Luk and welcome to my blog.

About me

Follow me:

Github X-twitter Linkedin

Categories

Related Posts

Subscribe to the mailing list to receive posts updates!

Sign up for my newsletter to see new photos, tips, and blog posts. Do not worry, we will never spam you.

Dive deep into the world of cloud computing with expert insights, tips, and tutorials tailored specifically for architects, engineers, and developers.

Github X-twitter Linkedin

Categories

Recent Posts

  • 2025 Terence Luk. All rights reserved.