az keyvault secret set: Store a Secret
az keyvault secret set writes or updates a named secret in a Key Vault.
A pipeline that rotates credentials or seeds a vault uses secret set. Pass values via --file to keep them out of the command line and process list.
What it does
az keyvault secret set creates a new version of a secret in the vault. The value comes from --value or, more safely, --file, which avoids putting the secret on the command line where it could leak into logs.
Common usage
az keyvault secret set \
--vault-name kv-app-ci --name db-password \
--value "$DB_PASSWORD"
# read the value from a file instead of argv
az keyvault secret set --vault-name kv-app-ci \
--name tls-cert --file cert.pemSubcommands and flags
| Flag | What it does |
|---|---|
| --vault-name | Target Key Vault |
| --name, -n | Secret name |
| --value | Secret value inline (visible in process list) |
| --file, -f | Read the value from a file (preferred) |
| --expires | Set an expiry date on the secret |
| --content-type | Label the value type, e.g. text/plain |
In CI
Prefer --file over --value so the secret never appears in argv or shell history. The federated identity needs Key Vault Secrets Officer on an RBAC vault. Mask any captured value so it does not surface in step logs.
Common errors in CI
"Caller is not authorized to perform action on resource ... Forbidden" on an RBAC vault means the identity lacks Key Vault Secrets Officer; an access-policy vault needs a set policy instead. "(VaultNotFound)" means a wrong vault name or region. "SecretDisabled" means the named secret exists but is disabled.