Thursday, January 12, 2023

Retrieve older versions of Azure Key Vault Secrets with CLI

You can maintain multiple versions for secrets in Azure Key Vault. You can store up to 500 versions!

Versions can be useful when you rotate your secret, but some systems may still require the previous key. Instead of creating a new secret, you can point to the previous version of the key to facilitate that system.

Furthermore, key versioning is a nice way to organize secrets. Rather than creating new secrets every time, it's a good way to maintain different versions per use case (may not be suitable for some cases!). 

For an example you can create a secret called ConnectionString and maintain different versions for each environment. Then you can properly organize it using tags





















Following is an easy way to get all versions of a specific secret in your Key Vault and then select a specific version with Azure CLI

1. List all versions
az keyvault secret list-versions 
--name ConnectionString 
--vault-name dinushavault | ConvertFrom-Json | Select-Object id





2. Select a specific secret version
az keyvault secret show 
--id https://dinushavault.vault.azure.net/secrets/ConnectionString/f647afaf87fe4397933d70fb1fefb1fc



No comments: