az keyvault create: Provision a Key Vault
az keyvault create provisions a Key Vault for secrets, keys, and certificates.
A vault is where a pipeline should keep secrets instead of plaintext variables. Create it with RBAC authorization so access is governed by role assignments.
What it does
az keyvault create provisions a Key Vault in a resource group. With --enable-rbac-authorization the vault uses Azure RBAC for data-plane access instead of legacy access policies, which suits federated CI identities.
Common usage
az keyvault create \
--name kv-app-ci --resource-group rg-app \
--location eastus --sku standard \
--enable-rbac-authorization trueSubcommands and flags
| Flag | What it does |
|---|---|
| --name, -n | Globally unique vault name |
| --resource-group, -g | Target resource group |
| --location, -l | Azure region |
| --sku | standard or premium (HSM-backed) |
| --enable-rbac-authorization | Use RBAC instead of access policies |
| --enable-purge-protection | Block permanent deletion during retention |
In CI
Choose RBAC authorization and grant the pipeline identity Key Vault Secrets Officer (write) or Key Vault Secrets User (read). Vault names are global and soft-deleted on removal, so a rerun can collide with a prior deleted vault of the same name.
Common errors in CI
"Exist soft deleted vault with the same name" or "VaultAlreadyExists" means a deleted vault still holds the name during its retention window; recover it with az keyvault recover or pick a new name. "AuthorizationFailed" means the identity lacks Contributor on the group. "SkuNotAvailable" means the region does not offer that SKU.