Skip to content
Latchkey

az keyvault secret set: Store a Secret

az keyvault secret set writes or updates a named secret in a Key Vault.

A pipeline that rotates credentials or seeds a vault uses secret set. Pass values via --file to keep them out of the command line and process list.

What it does

az keyvault secret set creates a new version of a secret in the vault. The value comes from --value or, more safely, --file, which avoids putting the secret on the command line where it could leak into logs.

Common usage

Terminal
az keyvault secret set \
  --vault-name kv-app-ci --name db-password \
  --value "$DB_PASSWORD"
# read the value from a file instead of argv
az keyvault secret set --vault-name kv-app-ci \
  --name tls-cert --file cert.pem

Subcommands and flags

FlagWhat it does
--vault-nameTarget Key Vault
--name, -nSecret name
--valueSecret value inline (visible in process list)
--file, -fRead the value from a file (preferred)
--expiresSet an expiry date on the secret
--content-typeLabel the value type, e.g. text/plain

In CI

Prefer --file over --value so the secret never appears in argv or shell history. The federated identity needs Key Vault Secrets Officer on an RBAC vault. Mask any captured value so it does not surface in step logs.

Common errors in CI

"Caller is not authorized to perform action on resource ... Forbidden" on an RBAC vault means the identity lacks Key Vault Secrets Officer; an access-policy vault needs a set policy instead. "(VaultNotFound)" means a wrong vault name or region. "SecretDisabled" means the named secret exists but is disabled.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →