How to Store a File as an Azure Vault Secret

Azure vault offers a highly secure way of storing secrets used in your applications. Azure vault natively supports keys used in encryption, SSL certificates or simple text secrets such as passwords. It is easier to use azure vault secrets in applications deployed under Azure app service. You can simply specify it as a key vault reference in the configuration section of the app service and the content of the secret will be available as an environment variable in your application.

Assume that your application reads the secret from the environment variable named app_secret(Please note that this could be any name). You will need to add this variable as an application setting with name as app_secret. Now assume you have your secret saved under the name "replace-with-secret-name" in the Azure vault named "replace-with-vault-name". In order to populate the value of the secret in the application setting named app_secret, give it the following value,


This is known as a Key vault reference which at runtime is replaced with the value of the secret by Azure platform. This is a safe and automatic way of providing secrets from Azure vault to the running application through the environment variables.

How to Store a File as Azure Vault Secret Using Azure CLI or Powershell?

One common requirement while writing web applications is to store a private key and certificate file in PEM format as secrets in Azure key vault. This is needed when you don't want a single certificate with private key in vault, but rather 2 separate files one containing private key and the other one containing certificate. A typical use case will be programmatically connecting to an external API through SSL connection.

In such cases you cannot do that from the Azure console since it only supports creation of single line secrets. However you can use either Azure CLI or Azure Powershell to create multi-line secrets from a file.

Here are the steps for saving a file as vault secret using Azure CLI,
First save your private key in PEM format in a text file named key.pem. Then run the following Azure CLI command to save the file as a secret inside your Azure vault,

az keyvault secret set --vault-name "replace-with-vault-name" --name "replace-with-secret-name" --file "key.pem"

Then save your certificate in PEM format in a text file named cert.pem. Then run the following Azure CLI command to save the file as a secret under an Azure vault,

az keyvault secret set --vault-name "replace-with-vault-name" --name "replace-with-secret-name" --file "cert.pem"

If you are using Powershell, you need to first convert the file into a secure string,

$RawSecret = Get-Content "key.pem" -Raw
$SecureSecret = ConvertTo-SecureString -String $RawSecret -AsPlainText -Force

Then use it to store the secret in Azure vault,

$secret = Set-AzKeyVaultSecret -VaultName "replace-with-vault-name" -Name "replace-with-secret-name" -SecretValue $SecureSecret

Now repeat the same steps for cert.pem file as well using Azure Powershell.

Use the following command to verify that the multi-line secret is created properly,

az keyvault secret show --name "replace-with-secret-name" --vault-name "replace-with-vault-name" --query "value"

Note that if you try to delete and recreate the Azure vault secrets, you may get an error if you have soft delete enabled. In such cases you will have to first disable purge protection and then purge the deleted key before you can create it again.