Skip to content
Latchkey

az keyvault create: Provision a Key Vault

az keyvault create provisions a Key Vault for secrets, keys, and certificates.

A vault is where a pipeline should keep secrets instead of plaintext variables. Create it with RBAC authorization so access is governed by role assignments.

What it does

az keyvault create provisions a Key Vault in a resource group. With --enable-rbac-authorization the vault uses Azure RBAC for data-plane access instead of legacy access policies, which suits federated CI identities.

Common usage

Terminal
az keyvault create \
  --name kv-app-ci --resource-group rg-app \
  --location eastus --sku standard \
  --enable-rbac-authorization true

Subcommands and flags

FlagWhat it does
--name, -nGlobally unique vault name
--resource-group, -gTarget resource group
--location, -lAzure region
--skustandard or premium (HSM-backed)
--enable-rbac-authorizationUse RBAC instead of access policies
--enable-purge-protectionBlock permanent deletion during retention

In CI

Choose RBAC authorization and grant the pipeline identity Key Vault Secrets Officer (write) or Key Vault Secrets User (read). Vault names are global and soft-deleted on removal, so a rerun can collide with a prior deleted vault of the same name.

Common errors in CI

"Exist soft deleted vault with the same name" or "VaultAlreadyExists" means a deleted vault still holds the name during its retention window; recover it with az keyvault recover or pick a new name. "AuthorizationFailed" means the identity lacks Contributor on the group. "SkuNotAvailable" means the region does not offer that SKU.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →