From be4cee2e7b8c9b110a8de0127c3c56e2ff638260 Mon Sep 17 00:00:00 2001 From: Dragos Avadanei Date: Wed, 12 Apr 2017 12:34:05 -0700 Subject: [PATCH] adding support for backing up and restoring of KeyVault secrets --- .../KeyVault/AzureRM.KeyVault.psd1 | 4 +- .../Commands.KeyVault.Test.csproj | 4 +- .../ControlPlane/KeyVaultManagementTests.ps1 | 4 +- .../Scripts/RunKeyVaultTests.ps1 | 17 +- .../Scripts/VaultKeyTests.ps1 | 8 +- .../Scripts/VaultSecretTests.ps1 | 84 ++ .../Commands.KeyVault.Test/packages.config | 4 +- .../Commands.KeyVault.csproj | 6 +- .../Commands/BackupAzureKeyVaultKey.cs | 26 +- .../Commands/BackupAzureKeyVaultSecret.cs | 83 ++ .../Commands/RestoreAzureKeyVaultSecret.cs | 76 ++ .../Commands/SetAzureKeyVaultAccessPolicy.cs | 2 +- ...osoft.Azure.Commands.KeyVault.dll-help.xml | 1113 ++++++++++++----- .../Models/IKeyVaultDataServiceClient.cs | 4 + .../Models/KeyVaultCmdletBase.cs | 24 +- .../Models/KeyVaultDataServiceClient.cs | 50 + .../Properties/Resources.Designer.cs | 44 + .../Properties/Resources.resx | 12 + .../help/AzureRM.KeyVault.md | 6 + .../help/Backup-AzureKeyVaultSecret.md | 144 +++ .../help/Restore-AzureKeyVaultSecret.md | 119 ++ .../Commands.KeyVault/packages.config | 4 +- 22 files changed, 1490 insertions(+), 348 deletions(-) create mode 100644 src/ResourceManager/KeyVault/Commands.KeyVault/Commands/BackupAzureKeyVaultSecret.cs create mode 100644 src/ResourceManager/KeyVault/Commands.KeyVault/Commands/RestoreAzureKeyVaultSecret.cs create mode 100644 src/ResourceManager/KeyVault/Commands.KeyVault/help/Backup-AzureKeyVaultSecret.md create mode 100644 src/ResourceManager/KeyVault/Commands.KeyVault/help/Restore-AzureKeyVaultSecret.md diff --git a/src/ResourceManager/KeyVault/AzureRM.KeyVault.psd1 b/src/ResourceManager/KeyVault/AzureRM.KeyVault.psd1 index 76ff2b83e955..c8ec864dcd5d 100644 --- a/src/ResourceManager/KeyVault/AzureRM.KeyVault.psd1 +++ b/src/ResourceManager/KeyVault/AzureRM.KeyVault.psd1 @@ -98,7 +98,9 @@ CmdletsToExport = 'Add-AzureKeyVaultCertificate', 'Set-AzureKeyVaultSecretAttribute', 'Get-AzureKeyVaultCertificatePolicy', 'New-AzureKeyVaultCertificateAdministratorDetails', - 'New-AzureKeyVaultCertificateOrganizationDetails' + 'New-AzureKeyVaultCertificateOrganizationDetails', + 'Backup-AzureKeyVaultSecret', + 'Restore-AzureKeyVaultSecret' # Variables to export from this module # VariablesToExport = @() diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Commands.KeyVault.Test.csproj b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Commands.KeyVault.Test.csproj index 2493a951be5c..e7a5d6c90394 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Commands.KeyVault.Test.csproj +++ b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Commands.KeyVault.Test.csproj @@ -66,11 +66,11 @@ ..\..\..\packages\Microsoft.Azure.Graph.RBAC.3.2.0-preview\lib\net45\Microsoft.Azure.Graph.RBAC.dll - ..\..\..\packages\Microsoft.Azure.KeyVault.2.0.2-preview\lib\net45\Microsoft.Azure.KeyVault.dll + ..\..\..\packages\Microsoft.Azure.KeyVault.2.1.0-preview\lib\net45\Microsoft.Azure.KeyVault.dll True - ..\..\..\packages\Microsoft.Azure.KeyVault.WebKey.2.0.0-preview\lib\net45\Microsoft.Azure.KeyVault.WebKey.dll + ..\..\..\packages\Microsoft.Azure.KeyVault.WebKey.2.0.4\lib\net45\Microsoft.Azure.KeyVault.WebKey.dll True diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/ControlPlane/KeyVaultManagementTests.ps1 b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/ControlPlane/KeyVaultManagementTests.ps1 index e22c4c9031fe..4fc1fb33cc0d 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/ControlPlane/KeyVaultManagementTests.ps1 +++ b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/ControlPlane/KeyVaultManagementTests.ps1 @@ -242,7 +242,7 @@ function Test-SetRemoveAccessPolicyByUPN Param($existingVaultName, $rgName, $upn) $PermToKeys = @("encrypt", "decrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore") - $PermToSecrets = @("get", "list", "set", "delete") + $PermToSecrets = @("get", "list", "set", "delete", "backup", "restore") $PermToCertificates = @("get", "list", "create", "delete") $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -UserPrincipalName $upn -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PermissionsToCertificates $PermToCertificates -PassThru @@ -400,7 +400,7 @@ function Test-ModifyAccessPolicy # Add some perms now $PermToKeys = @("encrypt", "decrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore") - $PermToSecrets = @("get", "list", "set", "delete") + $PermToSecrets = @("get", "list", "set", "delete", "backup", "restore") $PermToCertificates = @("list", "delete") $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PermissionsToCertificates $PermToCertificates -PassThru diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/RunKeyVaultTests.ps1 b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/RunKeyVaultTests.ps1 index f6b804526f3f..e63089eb91bf 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/RunKeyVaultTests.ps1 +++ b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/RunKeyVaultTests.ps1 @@ -293,10 +293,10 @@ function Run-AllDataPlaneTests # Backup-AzureKeyVaultKey and Restore-AzureKeyVaultKey tests. Run-TestProtected { Run-KeyTest {Test_BackupRestoreKey} "Test_BackupRestoreKey" } "Test_BackupRestoreKey" - Run-TestProtected { Run-KeyTest {Test_BackupNonExisitingKey} "Test_BackupNonExisitingKey" } "Test_BackupNonExisitingKey" - Run-TestProtected { Run-KeyTest {Test_BackupToANamedFile} "Test_BackupToANamedFile" } "Test_BackupToANamedFile" - Run-TestProtected { Run-KeyTest {Test_BackupToExistingFile} "Test_BackupToExistingFile" } "Test_BackupToExistingFile" - Run-TestProtected { Run-KeyTest {Test_RestoreFromNonExistingFile} "Test_RestoreFromNonExistingFile" } "Test_RestoreFromNonExistingFile" + Run-TestProtected { Run-KeyTest {Test_BackupNonExistingKey} "Test_BackupNonExistingKey" } "Test_BackupNonExistingKey" + Run-TestProtected { Run-KeyTest {Test_BackupKeyToANamedFile} "Test_BackupKeyToANamedFile" } "Test_BackupKeyToANamedFile" + Run-TestProtected { Run-KeyTest {Test_BackupKeyToExistingFile} "Test_BackupKeyToExistingFile" } "Test_BackupKeyToExistingFile" + Run-TestProtected { Run-KeyTest {Test_RestoreKeyFromNonExistingFile} "Test_RestoreKeyFromNonExistingFile" } "Test_RestoreKeyFromNonExistingFile" # *-AzureRmKeyVaultKey pipeline tests. Run-TestProtected { Run-KeyTest {Test_PipelineUpdateKeys} "Test_PipelineUpdateKeys" } "Test_PipelineUpdateKeys" @@ -345,7 +345,14 @@ function Run-AllDataPlaneTests Run-TestProtected { Run-SecretTest {Test_RemoveNonExistSecret} "Test_RemoveNonExistSecret" } "Test_RemoveNonExistSecret" Run-TestProtected { Run-SecretTest {Test_RemoveSecretInNoPermissionVault} "Test_RemoveSecretInNoPermissionVault" } "Test_RemoveSecretInNoPermissionVault" - # *-AzureRmKeyVaultKey pipeline tests. + # Backup-AzureKeyVaultSecret and Restore-AzureKeyVaultSecret tests. + Run-TestProtected { Run-SecretTest {Test_BackupRestoreSecret} "Test_BackupRestoreSecret" } "Test_BackupRestoreSecret" + Run-TestProtected { Run-SecretTest {Test_BackupNonExistingSecret} "Test_BackupNonExistingSecret" } "Test_BackupNonExistingSecret" + Run-TestProtected { Run-SecretTest {Test_BackupSecretToANamedFile} "Test_BackupSecretToANamedFile" } "Test_BackupSecretToANamedFile" + Run-TestProtected { Run-SecretTest {Test_BackupSecretToExistingFile} "Test_BackupSecretToExistingFile" } "Test_BackupSecretToExistingFile" + Run-TestProtected { Run-SecretTest {Test_RestoreSecretFromNonExistingFile} "Test_RestoreSecretFromNonExistingFile" } "Test_RestoreSecretFromNonExistingFile" + + # *-AzureRmKeyVaultSecret pipeline tests. Run-TestProtected { Run-SecretTest {Test_PipelineUpdateSecrets} "Test_PipelineUpdateSecrets" } "Test_PipelineUpdateSecrets" Run-TestProtected { Run-SecretTest {Test_PipelineUpdateSecretAttributes} "Test_PipelineUpdateSecretAttributes" } "Test_PipelineUpdateSecretAttributes" Run-TestProtected { Run-SecretTest {Test_PipelineUpdateSecretVersions} "Test_PipelineUpdateSecretVersions" } "Test_PipelineUpdateSecretVersions" diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/VaultKeyTests.ps1 b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/VaultKeyTests.ps1 index a7b1bcc6c0e5..8553f9bf25f4 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/VaultKeyTests.ps1 +++ b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/VaultKeyTests.ps1 @@ -853,7 +853,7 @@ function Test_BackupRestoreKey .SYNOPSIS Tests backup a none existing key #> -function Test_BackupNonExisitingKey +function Test_BackupNonExistingKey { $keyVault = Get-KeyVault $keyname=Get-KeyName 'backupnonexisting' @@ -865,7 +865,7 @@ function Test_BackupNonExisitingKey .SYNOPSIS Tests backup a key to a specific file and be able to restore #> -function Test_BackupToANamedFile +function Test_BackupKeyToANamedFile { $keyVault = Get-KeyVault $keyname=Get-KeyName 'backupnamedfile' @@ -885,7 +885,7 @@ function Test_BackupToANamedFile .SYNOPSIS Tests backup a key to a specific file which exists #> -function Test_BackupToExistingFile +function Test_BackupKeyToExistingFile { $keyVault = Get-KeyVault $keyname=Get-KeyName 'backupexistingfile' @@ -904,7 +904,7 @@ function Test_BackupToExistingFile .SYNOPSIS Tests restore a key from a none existing file #> -function Test_RestoreFromNonExistingFile +function Test_RestoreKeyFromNonExistingFile { $keyVault = Get-KeyVault diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/VaultSecretTests.ps1 b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/VaultSecretTests.ps1 index 64251ba190a5..d50cf7dceef0 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/VaultSecretTests.ps1 +++ b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/VaultSecretTests.ps1 @@ -652,6 +652,90 @@ function Test_RemoveSecretInNoPermissionVault Assert-Throws {Remove-AzureKeyVaultSecret -VaultName $keyVault -Name $secretname -Force -Confirm:$false} } +<# +.SYNOPSIS +Tests backup and restoring of a secret +#> +function Test_BackupRestoreSecret +{ + $keyVault = Get-KeyVault + $name=Get-SecretName 'backuprestore' + $secret=Set-AzureKeyVaultSecret -VaultName $keyVault -Name $name -SecretValue $securedata + Assert-NotNull $secret + $global:createdSecrets += $name + + $backupblob = Backup-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name + Remove-AzureKeyVaultSecret -VaultName $keyVault -Name $name -Force -Confirm:$false + $restoredSecret = Restore-AzureKeyVaultSecret -VaultName $keyVault -InputFile $backupblob + + $retrievedSecret = Get-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name + Assert-AreEqual $retrievedSecret.SecretValueText $securedata +} + +<# +.SYNOPSIS +Tests backup of a non-existing secret +#> +function Test_BackupNonExistingSecret +{ + $keyVault = Get-KeyVault + $name=Get-SecretName 'backupnonexisting' + + Assert-Throws { Backup-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name } +} + +<# +.SYNOPSIS +Tests backup of a secret to a specific file and ability to restore +#> +function Test_BackupSecretToANamedFile +{ + $keyVault = Get-KeyVault + $name=Get-SecretName 'backupnamedfile' + $secret=Set-AzureKeyVaultSecret -VaultName $keyVault -Name $name -SecretValue $securedata + Assert-NotNull $secret + $global:createdSecrets += $name + + $backupfile='.\backup' + ([GUID]::NewGuid()).GUID.ToString() + '.blob' + + Backup-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name -OutputFile $backupfile + Remove-AzureKeyVaultSecret -VaultName $keyVault -Name $name -Force -Confirm:$false + $restoredSecret = Restore-AzureKeyVaultSecret -VaultName $keyVault -InputFile $backupfile + + $retrievedSecret = Get-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name + Assert-AreEqual $retrievedSecret.SecretValueText $securedata +} + +<# +.SYNOPSIS +Tests backup of a key to a specific, existing file +#> +function Test_BackupSecretToExistingFile +{ + $keyVault = Get-KeyVault + $name=Get-SecretName 'backupexistingfile' + $secret=Set-AzureKeyVaultSecret -VaultName $keyVault -Name $name -SecretValue $securedata + Assert-NotNull $secret + $global:createdSecrets += $name + + $backupfile='.\backup' + ([GUID]::NewGuid()).GUID.ToString() + '.blob' + + Backup-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name -OutputFile $backupfile + Assert-Throws { Backup-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name -OutputFile $backupfile } +} + + +<# +.SYNOPSIS +Tests restoring a secret from a non-existing file +#> +function Test_RestoreSecretFromNonExistingFile +{ + $keyVault = Get-KeyVault + + Assert-Throws { Restore-AzureKeyVaultSecret -VaultName $keyVault -InputFile c:\nonexisting.blob } +} + <# .SYNOPSIS Tests pipeline commands to update values of multiple secrets diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/packages.config b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/packages.config index b5e626a4ca2a..db042831a5d1 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault.Test/packages.config +++ b/src/ResourceManager/KeyVault/Commands.KeyVault.Test/packages.config @@ -4,8 +4,8 @@ - - + + diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/Commands.KeyVault.csproj b/src/ResourceManager/KeyVault/Commands.KeyVault/Commands.KeyVault.csproj index 25ce035d6641..3ccd4113ce94 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault/Commands.KeyVault.csproj +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/Commands.KeyVault.csproj @@ -52,6 +52,8 @@ + + @@ -156,11 +158,11 @@ ..\..\..\packages\Microsoft.Azure.Graph.RBAC.3.2.0-preview\lib\net45\Microsoft.Azure.Graph.RBAC.dll - ..\..\..\packages\Microsoft.Azure.KeyVault.2.0.2-preview\lib\net45\Microsoft.Azure.KeyVault.dll + ..\..\..\packages\Microsoft.Azure.KeyVault.2.1.0-preview\lib\net45\Microsoft.Azure.KeyVault.dll True - ..\..\..\packages\Microsoft.Azure.KeyVault.WebKey.2.0.0-preview\lib\net45\Microsoft.Azure.KeyVault.WebKey.dll + ..\..\..\packages\Microsoft.Azure.KeyVault.WebKey.2.0.4\lib\net45\Microsoft.Azure.KeyVault.WebKey.dll True diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/BackupAzureKeyVaultKey.cs b/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/BackupAzureKeyVaultKey.cs index e22173e016aa..dfe2c8366aea 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/BackupAzureKeyVaultKey.cs +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/BackupAzureKeyVaultKey.cs @@ -12,10 +12,9 @@ // limitations under the License. // ---------------------------------------------------------------------------------- -using Microsoft.Azure.Commands.KeyVault.Models; using System; -using System.IO; using System.Management.Automation; +using Microsoft.Azure.Commands.KeyVault.Models; using KeyVaultProperties = Microsoft.Azure.Commands.KeyVault.Properties; namespace Microsoft.Azure.Commands.KeyVault @@ -29,8 +28,6 @@ namespace Microsoft.Azure.Commands.KeyVault [OutputType(typeof(String))] public class BackupAzureKeyVaultKey : KeyVaultCmdletBase { - public static readonly DateTime EpochDate = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); - #region Input Parameter Definitions /// @@ -72,32 +69,15 @@ public override void ExecuteCmdlet() { if (string.IsNullOrEmpty(OutputFile)) { - OutputFile = GetDefaultFile(); + OutputFile = GetDefaultFileForOperation("backup", VaultName, Name); } - var filePath = ResolvePath(OutputFile); + var filePath = ResolvePathFromFilename(OutputFile, throwOnPreExisting: true, errorMessage: KeyVaultProperties.Resources.BackupKeyFileAlreadyExists); var backupBlobPath = this.DataServiceClient.BackupKey(VaultName, Name, filePath); this.WriteObject(backupBlobPath); } } - - private string GetDefaultFile() - { - var currentPath = CurrentPath(); - var filename = string.Format("{0}\\backup-{1}-{2}-{3}", currentPath, VaultName, Name, DateTime.UtcNow.Subtract(EpochDate).TotalSeconds); - return filename; - } - - private string ResolvePath(string filePath) - { - FileInfo keyFile = new FileInfo(this.GetUnresolvedProviderPathFromPSPath(filePath)); - if (keyFile.Exists) - { - throw new IOException(string.Format(KeyVaultProperties.Resources.BackupKeyFileAlreadyExists, filePath)); - } - return keyFile.FullName; - } } } diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/BackupAzureKeyVaultSecret.cs b/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/BackupAzureKeyVaultSecret.cs new file mode 100644 index 000000000000..a8a2f70fd94d --- /dev/null +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/BackupAzureKeyVaultSecret.cs @@ -0,0 +1,83 @@ +// ---------------------------------------------------------------------------------- +// +// Copyright Microsoft Corporation +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// ---------------------------------------------------------------------------------- + +using System; +using System.Management.Automation; +using Microsoft.Azure.Commands.KeyVault.Models; +using KeyVaultProperties = Microsoft.Azure.Commands.KeyVault.Properties; + +namespace Microsoft.Azure.Commands.KeyVault +{ + /// + /// Requests that a backup of the specified key be downloaded and stored to a file + /// + [Cmdlet( VerbsData.Backup, "AzureKeyVaultSecret", + SupportsShouldProcess = true, + HelpUri = Constants.KeyVaultHelpUri )] + [OutputType( typeof( String ) )] + public class BackupAzureKeyVaultSecret : KeyVaultCmdletBase + { + #region Input Parameter Definitions + + /// + /// Vault name + /// + [Parameter( Mandatory = true, + Position = 0, + ValueFromPipelineByPropertyName = true, + HelpMessage = "Vault name. Cmdlet constructs the FQDN of a vault based on the name and currently selected environment." )] + [ValidateNotNullOrEmpty] + public string VaultName { get; set; } + + /// + /// Key name + /// + [Parameter( Mandatory = true, + Position = 1, + ValueFromPipelineByPropertyName = true, + HelpMessage = "Secret name. Cmdlet constructs the FQDN of a secret from vault name, currently selected environment and secret name." )] + [ValidateNotNullOrEmpty] + [Alias( Constants.SecretName )] + public string Name { get; set; } + + /// + /// The output file in which the backup blob is to be stored + /// + [Parameter( Mandatory = false, + Position = 2, + ValueFromPipelineByPropertyName = true, + HelpMessage = "Output file. The output file to store the backed up secret blob in. If not present, a default filename is chosen." )] + [ValidateNotNullOrEmpty] + public string OutputFile { get; set; } + + #endregion Input Parameter Definition + + public override void ExecuteCmdlet( ) + { + if ( ShouldProcess( Name, Properties.Resources.BackupSecret ) ) + { + if ( string.IsNullOrEmpty( OutputFile ) ) + { + OutputFile = GetDefaultFileForOperation("backup", VaultName, Name); + } + + var filePath = ResolvePathFromFilename(OutputFile, throwOnPreExisting: true, errorMessage: KeyVaultProperties.Resources.BackupSecretFileAlreadyExists); + + var backupBlobPath = this.DataServiceClient.BackupSecret(VaultName, Name, filePath); + + this.WriteObject( backupBlobPath ); + } + } + } +} diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/RestoreAzureKeyVaultSecret.cs b/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/RestoreAzureKeyVaultSecret.cs new file mode 100644 index 000000000000..49e38a0dd5ac --- /dev/null +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/RestoreAzureKeyVaultSecret.cs @@ -0,0 +1,76 @@ +// ---------------------------------------------------------------------------------- +// +// Copyright Microsoft Corporation +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// ---------------------------------------------------------------------------------- + +using Microsoft.Azure.Commands.KeyVault.Models; +using System.IO; +using System.Management.Automation; +using KeyVaultProperties = Microsoft.Azure.Commands.KeyVault.Properties; + +namespace Microsoft.Azure.Commands.KeyVault +{ + /// + /// Restores the backup secret into a vault + /// + [Cmdlet( VerbsData.Restore, "AzureKeyVaultSecret", + SupportsShouldProcess = true, + HelpUri = Constants.KeyVaultHelpUri )] + [OutputType( typeof( Secret ) )] + public class RestoreAzureKeyVaultSecret : KeyVaultCmdletBase + { + #region Input Parameter Definitions + + /// + /// Vault name + /// + [Parameter( Mandatory = true, + Position = 0, + ValueFromPipelineByPropertyName = true, + HelpMessage = "Vault name. Cmdlet constructs the FQDN of a vault based on the name and currently selected environment." )] + [ValidateNotNullOrEmpty] + public string VaultName { get; set; } + + /// + /// The input file in which the backup blob is stored + /// + [Parameter( Mandatory = true, + Position = 1, + HelpMessage = "Input file. The input file containing the backed-up blob" )] + [ValidateNotNullOrEmpty] + public string InputFile { get; set; } + + #endregion Input Parameter Definitions + + public override void ExecuteCmdlet( ) + { + if ( ShouldProcess( VaultName, Properties.Resources.RestoreSecret ) ) + { + var filePath = ResolvePath(InputFile); + + var restoredSecret = this.DataServiceClient.RestoreSecret(VaultName, filePath); + + this.WriteObject( restoredSecret ); + } + } + + private string ResolvePath( string filePath ) + { + FileInfo secretFile = new FileInfo(this.GetUnresolvedProviderPathFromPSPath(filePath)); + if ( !secretFile.Exists ) + { + throw new FileNotFoundException( string.Format( KeyVaultProperties.Resources.BackupSecretFileNotFound, filePath ) ); + } + return secretFile.FullName; + } + } +} diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/SetAzureKeyVaultAccessPolicy.cs b/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/SetAzureKeyVaultAccessPolicy.cs index 48ef09031ab1..2cfdb2c98b8c 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/SetAzureKeyVaultAccessPolicy.cs +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/Commands/SetAzureKeyVaultAccessPolicy.cs @@ -131,7 +131,7 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase ParameterSetName = ByUserPrincipalName, ValueFromPipelineByPropertyName = true, HelpMessage = "Specifies secret operation permissions to grant to a user or service principal.")] - [ValidateSet("get", "list", "set", "delete", "all")] + [ValidateSet("get", "list", "set", "delete", "backup", "restore", "all")] public string[] PermissionsToSecrets { get; set; } /// diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/Microsoft.Azure.Commands.KeyVault.dll-help.xml b/src/ResourceManager/KeyVault/Commands.KeyVault/Microsoft.Azure.Commands.KeyVault.dll-help.xml index 7e30a33b91f7..7d7222d62772 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault/Microsoft.Azure.Commands.KeyVault.dll-help.xml +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/Microsoft.Azure.Commands.KeyVault.dll-help.xml @@ -1,5 +1,5 @@ - - + + Add-AzureKeyVaultCertificate @@ -49,7 +49,7 @@ False Tag -A hashtable representing certificate tags. +Specifies a hash table that contains certificate tags. Hashtable @@ -104,7 +104,7 @@ False Tag -A hashtable representing certificate tags. +Specifies a hash table that contains certificate tags. Hashtable @@ -184,6 +184,8 @@ Updated : 2/8/2016 11:21:45 PM The final command uses the Get-AzureKeyVaultCertificate cmdlet to get the certificate. + + @@ -316,6 +318,8 @@ Updated : 2/8/2016 11:21:45 PM PS C:\>Add-AzureKeyVaultCertificateContact -VaultName "ContosoKV01" -EmailAddress "patti.fuller@contoso.com" -PassThru This command adds Patti Fuller as a certificate contact for the ContosoKV01 key vault and returns the KeyVaultCertificateContact object. + + @@ -337,15 +341,15 @@ Updated : 2/8/2016 11:21:45 PM The Add-AzureKeyVaultKey cmdlet creates a key in a key vault in Azure Key Vault, or imports a key into a key vault. Use this cmdlet to add keys by using any of the following methods: --- Create a key in a hardware security module (HSM) in the Key Vault service. +- Create a key in a hardware security module (HSM) in the Key Vault service. --- Create a key in software in the Key Vault service. +- Create a key in software in the Key Vault service. --- Import a key from your own hardware security module (HSM) to HSMs in the Key Vault service. +- Import a key from your own hardware security module (HSM) to HSMs in the Key Vault service. --- Import a key from a .pfx file on your computer. +- Import a key from a .pfx file on your computer. --- Import a key from a .pfx file on your computer to hardware security modules (HSMs) in the Key Vault service. +- Import a key from a .pfx file on your computer to hardware security modules (HSMs) in the Key Vault service. @@ -382,11 +386,11 @@ Updated : 2/8/2016 11:21:45 PM Note: To use HSM as your destination, you must have a key vault that supports HSMs. For more information about the service tiers and capabilities for Azure Key Vault, see the Azure Key Vault Pricing website (http://go.microsoft.com/fwlink/?linkid=512521). -This parameter is required when you create a new key. If you import a key by using the KeyFilePath parameter, this parameter is optional: +This parameter is required when you create a new key. If you import a key by using the KeyFilePath parameter, this parameter is optional: --- If you do not specify this parameter, and this cmdlet imports a key that has .byok file name extension, it imports that key as an HSM-protected key. The cmdlet cannot import that key as software-protected key. +- If you do not specify this parameter, and this cmdlet imports a key that has .byok file name extension, it imports that key as an HSM-protected key. The cmdlet cannot import that key as software-protected key. --- If you do not specify this parameter, and this cmdlet imports a key that has a .pfx file name extension, it imports the key as a software-protected key. +- If you do not specify this parameter, and this cmdlet imports a key that has a .pfx file name extension, it imports the key as a software-protected key. HSM @@ -408,7 +412,7 @@ Updated : 2/8/2016 11:21:45 PM False Expires -Specifies the expiration time, as a DateTime object, for the key that this cmdlet adds. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type Get-Help Get-Date. If you do not specify this parameter, the key does not expire. +Specifies the expiration time, as a DateTime object, for the key that this cmdlet adds. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type `Get-Help Get-Date`. If you do not specify this parameter, the key does not expire. DateTime @@ -421,21 +425,21 @@ Updated : 2/8/2016 11:21:45 PM The acceptable values for this parameter are a comma-separated list of key operations as defined by the JSON Web Key (JWK) specification (http://go.microsoft.com/fwlink/?LinkID=613300&clcid=0x409): --- Encrypt +- Encrypt --- Decrypt +- Decrypt --- Wrap +- Wrap --- Unwrap +- Unwrap --- Sign +- Sign --- Verify +- Verify --- Backup +- Backup --- Restore +- Restore String[] @@ -461,7 +465,15 @@ Updated : 2/8/2016 11:21:45 PM False Tag -A hashtable representing key tags. +Specifies a hash table that contains certificate tags. + +To use HSM as your destination, you must have a key vault that supports HSMs. For more information about the service tiers and capabilities for Azure Key Vault, see the Azure Key Vault Pricing website (http://go.microsoft.com/fwlink/?linkid=512521). + +This parameter is required when you create a new key. If you import a key by using the KeyFilePath parameter, this parameter is optional: + +- If you do not specify this parameter, and this cmdlet imports a key that has .byok file name extension, it imports that key as an HSM-protected key. The cmdlet cannot import that key as software-protected key. + +- If you do not specify this parameter, and this cmdlet imports a key that has a .pfx file name extension, it imports the key as a software-protected key. Hashtable @@ -502,11 +514,11 @@ Updated : 2/8/2016 11:21:45 PM Note: To use HSM as your destination, you must have a key vault that supports HSMs. For more information about the service tiers and capabilities for Azure Key Vault, see the Azure Key Vault Pricing website (http://go.microsoft.com/fwlink/?linkid=512521). -This parameter is required when you create a new key. If you import a key by using the KeyFilePath parameter, this parameter is optional: +This parameter is required when you create a new key. If you import a key by using the KeyFilePath parameter, this parameter is optional: --- If you do not specify this parameter, and this cmdlet imports a key that has .byok file name extension, it imports that key as an HSM-protected key. The cmdlet cannot import that key as software-protected key. +- If you do not specify this parameter, and this cmdlet imports a key that has .byok file name extension, it imports that key as an HSM-protected key. The cmdlet cannot import that key as software-protected key. --- If you do not specify this parameter, and this cmdlet imports a key that has a .pfx file name extension, it imports the key as a software-protected key. +- If you do not specify this parameter, and this cmdlet imports a key that has a .pfx file name extension, it imports the key as a software-protected key. HSM @@ -528,7 +540,7 @@ Updated : 2/8/2016 11:21:45 PM False Expires -Specifies the expiration time, as a DateTime object, for the key that this cmdlet adds. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type Get-Help Get-Date. If you do not specify this parameter, the key does not expire. +Specifies the expiration time, as a DateTime object, for the key that this cmdlet adds. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type `Get-Help Get-Date`. If you do not specify this parameter, the key does not expire. DateTime @@ -537,7 +549,7 @@ Updated : 2/8/2016 11:21:45 PM None KeyFilePassword -Specifies a password for the imported file as a SecureString object. To obtain a SecureString object, use the ConvertTo-SecureString cmdlet. For more information, type Get-Help ConvertTo-SecureString. You must specify this password to import a file with a .pfx file name extension. +Specifies a password for the imported file as a SecureString object. To obtain a SecureString object, use the ConvertTo-SecureString cmdlet. For more information, type `Get-Help ConvertTo-SecureString`. You must specify this password to import a file with a .pfx file name extension. SecureString @@ -548,9 +560,9 @@ Updated : 2/8/2016 11:21:45 PM KeyFilePath Specifies the path of a local file that contains key material that this cmdlet imports. The valid file name extensions are .byok and .pfx. --- If the file is a .byok file, the key is automatically protected by HSMs after the import and you cannot override this default. +- If the file is a .byok file, the key is automatically protected by HSMs after the import and you cannot override this default. --- If the file is a .pfx file, the key is automatically protected by software after the import. To override this default, set the Destination parameter to HSM so that the key is HSM-protected. +- If the file is a .pfx file, the key is automatically protected by software after the import. To override this default, set the Destination parameter to HSM so that the key is HSM-protected. When you specify this parameter, the Destination parameter is optional. @@ -565,21 +577,21 @@ Updated : 2/8/2016 11:21:45 PM The acceptable values for this parameter are a comma-separated list of key operations as defined by the JSON Web Key (JWK) specification (http://go.microsoft.com/fwlink/?LinkID=613300&clcid=0x409): --- Encrypt +- Encrypt --- Decrypt +- Decrypt --- Wrap +- Wrap --- Unwrap +- Unwrap --- Sign +- Sign --- Verify +- Verify --- Backup +- Backup --- Restore +- Restore String[] @@ -605,7 +617,15 @@ Updated : 2/8/2016 11:21:45 PM False Tag -A hashtable representing key tags. +Specifies a hash table that contains certificate tags. + +To use HSM as your destination, you must have a key vault that supports HSMs. For more information about the service tiers and capabilities for Azure Key Vault, see the Azure Key Vault Pricing website (http://go.microsoft.com/fwlink/?linkid=512521). + +This parameter is required when you create a new key. If you import a key by using the KeyFilePath parameter, this parameter is optional: + +- If you do not specify this parameter, and this cmdlet imports a key that has .byok file name extension, it imports that key as an HSM-protected key. The cmdlet cannot import that key as software-protected key. + +- If you do not specify this parameter, and this cmdlet imports a key that has a .pfx file name extension, it imports the key as a software-protected key. Hashtable @@ -628,11 +648,11 @@ Updated : 2/8/2016 11:21:45 PM Note: To use HSM as your destination, you must have a key vault that supports HSMs. For more information about the service tiers and capabilities for Azure Key Vault, see the Azure Key Vault Pricing website (http://go.microsoft.com/fwlink/?linkid=512521). -This parameter is required when you create a new key. If you import a key by using the KeyFilePath parameter, this parameter is optional: +This parameter is required when you create a new key. If you import a key by using the KeyFilePath parameter, this parameter is optional: --- If you do not specify this parameter, and this cmdlet imports a key that has .byok file name extension, it imports that key as an HSM-protected key. The cmdlet cannot import that key as software-protected key. +- If you do not specify this parameter, and this cmdlet imports a key that has .byok file name extension, it imports that key as an HSM-protected key. The cmdlet cannot import that key as software-protected key. --- If you do not specify this parameter, and this cmdlet imports a key that has a .pfx file name extension, it imports the key as a software-protected key. +- If you do not specify this parameter, and this cmdlet imports a key that has a .pfx file name extension, it imports the key as a software-protected key. String @@ -650,7 +670,7 @@ Updated : 2/8/2016 11:21:45 PM False Expires -Specifies the expiration time, as a DateTime object, for the key that this cmdlet adds. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type Get-Help Get-Date. If you do not specify this parameter, the key does not expire. +Specifies the expiration time, as a DateTime object, for the key that this cmdlet adds. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type `Get-Help Get-Date`. If you do not specify this parameter, the key does not expire. DateTime @@ -659,7 +679,7 @@ Updated : 2/8/2016 11:21:45 PM None KeyFilePassword -Specifies a password for the imported file as a SecureString object. To obtain a SecureString object, use the ConvertTo-SecureString cmdlet. For more information, type Get-Help ConvertTo-SecureString. You must specify this password to import a file with a .pfx file name extension. +Specifies a password for the imported file as a SecureString object. To obtain a SecureString object, use the ConvertTo-SecureString cmdlet. For more information, type `Get-Help ConvertTo-SecureString`. You must specify this password to import a file with a .pfx file name extension. SecureString @@ -670,9 +690,9 @@ Updated : 2/8/2016 11:21:45 PM KeyFilePath Specifies the path of a local file that contains key material that this cmdlet imports. The valid file name extensions are .byok and .pfx. --- If the file is a .byok file, the key is automatically protected by HSMs after the import and you cannot override this default. +- If the file is a .byok file, the key is automatically protected by HSMs after the import and you cannot override this default. --- If the file is a .pfx file, the key is automatically protected by software after the import. To override this default, set the Destination parameter to HSM so that the key is HSM-protected. +- If the file is a .pfx file, the key is automatically protected by software after the import. To override this default, set the Destination parameter to HSM so that the key is HSM-protected. When you specify this parameter, the Destination parameter is optional. @@ -687,21 +707,21 @@ Updated : 2/8/2016 11:21:45 PM The acceptable values for this parameter are a comma-separated list of key operations as defined by the JSON Web Key (JWK) specification (http://go.microsoft.com/fwlink/?LinkID=613300&clcid=0x409): --- Encrypt +- Encrypt --- Decrypt +- Decrypt --- Wrap +- Wrap --- Unwrap +- Unwrap --- Sign +- Sign --- Verify +- Verify --- Backup +- Backup --- Restore +- Restore String[] @@ -746,7 +766,15 @@ Updated : 2/8/2016 11:21:45 PM False Tag -A hashtable representing key tags. +Specifies a hash table that contains certificate tags. + +To use HSM as your destination, you must have a key vault that supports HSMs. For more information about the service tiers and capabilities for Azure Key Vault, see the Azure Key Vault Pricing website (http://go.microsoft.com/fwlink/?linkid=512521). + +This parameter is required when you create a new key. If you import a key by using the KeyFilePath parameter, this parameter is optional: + +- If you do not specify this parameter, and this cmdlet imports a key that has .byok file name extension, it imports that key as an HSM-protected key. The cmdlet cannot import that key as software-protected key. + +- If you do not specify this parameter, and this cmdlet imports a key that has a .pfx file name extension, it imports the key as a software-protected key. Hashtable @@ -786,12 +814,16 @@ Updated : 2/8/2016 11:21:45 PM PS C:\>Add-AzureKeyVaultKey -VaultName 'Contoso' -Name 'ITSoftware' -Destination 'Software' This command creates a software-protected key named ITSoftware in the key vault named Contoso. + + Example 2: Create an HSM-protected key PS C:\>Add-AzureKeyVaultKey -VaultName 'Contoso' -Name 'ITHsm' -Destination 'HSM' This command creates an HSM-protected key in the key vault named Contoso. + + Example 3: Create a key with non-default values @@ -802,12 +834,14 @@ PS C:\> $Tags = @{'Severity' = 'high'; 'Accounting' = null} PS C:\> Add-AzureKeyVaultKey -VaultName 'Contoso' -Name 'ITHsmNonDefault' -Destination 'HSM' -Expires $Expires -NotBefore $NotBefore -KeyOps $KeyOperations -Disable -Tags $Tags The first command stores the values decrypt and verify in the $KeyOperations variable. -The second command creates a DateTime object, defined in UTC, by using the Get-Date cmdlet. That object specifies a time two years in the future. The command stores that date in the $Expires variable. For more information, type Get-Help Get-Date. +The second command creates a DateTime object, defined in UTC, by using the Get-Date cmdlet. That object specifies a time two years in the future. The command stores that date in the $Expires variable. For more information, type `Get-Help Get-Date`. The third command creates a DateTime object by using the Get-Date cmdlet. That object specifies current UTC time. The command stores that date in the $NotBefore variable. The final command creates a key named ITHsmNonDefault that is an HSM-protected key. The command specifies values for allowed key operations stored $KeyOperations. The command specifies times for the Expires and NotBefore parameters created in the previous commands, and tags for high severity and IT. The new key is disabled. You can enable it by using the Set-AzureKeyVaultKey cmdlet. + + Example 4: Import an HSM-protected key @@ -816,15 +850,19 @@ PS C:\> Add-AzureKeyVaultKey -VaultName 'Contoso' -Name 'ITHsmNonDefault' -De To import a key from your own hardware security module, you must first generate a BYOK package (a file with a .byok file name extension) by using the Azure Key Vault BYOK toolset. For more information, see How to Generate and Transfer HSM-Protected Keys for Azure Key Vault (http://go.microsoft.com/fwlink/?LinkId=522252). + + Example 5: Import a software-protected key PS C:\>$Password = ConvertTo-SecureString -String 'Password' -AsPlainText -Force PS C:\> Add-AzureKeyVaultKey -VaultName 'Contoso' -Name 'ITPfx' -KeyFilePath 'C:\Contoso\ITPfx.pfx' -KeyFilePassword $Password -The first command converts a string into a secure string by using the ConvertTo-SecureString cmdlet, and then stores that string in the $Password variable. For more information, type Get-Help ConvertTo-SecureString. +The first command converts a string into a secure string by using the ConvertTo-SecureString cmdlet, and then stores that string in the $Password variable. For more information, type `Get-Help ConvertTo-SecureString`. The second command creates a software password in the Contoso key vault. The command specifies the location for the key and the password stored in $Password. + + Example 6: Import a key and assign attributes @@ -840,6 +878,8 @@ PS C:\> Add-AzureKeyVaultKey -VaultName 'Contoso' -Name 'ITPfxToHSM' -Destina The final command imports a key as an HSM key from the specified location. The command specifies the expiration time stored in $Expires and password stored in $Password, and applies the tags stored in $tags. + + @@ -872,9 +912,9 @@ PS C:\> Add-AzureKeyVaultKey -VaultName 'Contoso' -Name 'ITPfxToHSM' -Destina Typical reasons to use this cmdlet are: --- You want to escrow a copy of your key, so that you have an offline copy in case you accidentally delete your key in your key vault. +- You want to escrow a copy of your key, so that you have an offline copy in case you accidentally delete your key in your key vault. --- You created a key using Key Vault and now want to clone the key into a different Azure region, so that you can use it from all instances of your distributed application. Use the Backup-AzureKeyVaultKey cmdlet to retrieve the key in encrypted format and then use the Restore-AzureKeyVaultKey cmdlet and specify a key vault in the second region. +- You created a key using Key Vault and now want to clone the key into a different Azure region, so that you can use it from all instances of your distributed application. Use the Backup-AzureKeyVaultKey cmdlet to retrieve the key in encrypted format and then use the Restore-AzureKeyVaultKey cmdlet and specify a key vault in the second region. Backup-AzureKeyVaultKey @@ -979,12 +1019,16 @@ PS C:\> Add-AzureKeyVaultKey -VaultName 'Contoso' -Name 'ITPfxToHSM' -Destina PS C:\>Backup-AzureKeyVaultKey -VaultName 'MyKeyVault' -Name 'MyKey' This command retrieves the key named MyKey from the key vault named MyKeyVault and saves a backup of that key to a file that is automatically named for you, and displays the file name. + + Example 2: Back up a key to a specified file name PS C:\>Backup-AzureKeyVaultKey -VaultName 'MyKeyVault' -Name 'MyKey' -OutputFile 'C:\Backup.blob' This command retrieves the key named MyKey from the key vaultnamed MyKeyVault and saves a backup of that key to a file named Backup.blob. + + @@ -1006,6 +1050,155 @@ PS C:\> Add-AzureKeyVaultKey -VaultName 'Contoso' -Name 'ITPfxToHSM' -Destina +Backup-AzureKeyVaultSecret +Backup +AzureKeyVaultSecret +Backs up a secret in a key vault. + + + +The Backup-AzureKeyVaultSecret cmdlet backs up a specified secret in a key vault by downloading it and storing it in a file. If there are multiple versions of the secret, all versions are included in the backup. Because the downloaded content is encrypted, it cannot be used outside of Azure Key Vault. You can restore a backed-up secret to any key vault in the subscription that it was backed up from. + +Typical reasons to use this cmdlet are: + +- You want to escrow a copy of your secret, so that you have an offline copy in case you accidentally delete your secret in your key vault. + +- You added a secret to a key vault and now want to clone the secret into a different Azure region, so that you can use it from all instances of your distributed application. Use the Backup-AzureKeyVaultSecret cmdlet to retrieve the secret in encrypted format and then use the Restore-AzureKeyVaultSecret cmdlet and specify a key vault in the second region. (Note that the regions must belong to the same geography.) + + +Backup-AzureKeyVaultSecret +VaultName +Specifies the name of the key vault that contains the secret to back up. + + +String +String + +None + +Name +Specifies the name of the secret to back up. + + +String +String + +None + +OutputFile +Specifies the output file in which the backup blob is stored. If you do not specify this parameter, this cmdlet generates a file name for you. If you specify the name of an existing output file, the operation will not complete and returns an error message that the backup file already exists. + + +String +String + +None + +Confirm +Prompts you for confirmation before running the cmdlet. + + +SwitchParameter + +False + +WhatIf +Shows what would happen if the cmdlet runs. The cmdlet is not run. + + +SwitchParameter + +False + + + +Name +Specifies the name of the secret to back up. + + +String +String + +None + +OutputFile +Specifies the output file in which the backup blob is stored. If you do not specify this parameter, this cmdlet generates a file name for you. If you specify the name of an existing output file, the operation will not complete and returns an error message that the backup file already exists. + + +String +String + +None + +VaultName +Specifies the name of the key vault that contains the secret to back up. + + +String +String + +None + +Confirm +Prompts you for confirmation before running the cmdlet. + + +SwitchParameter +SwitchParameter + +False + +WhatIf +Shows what would happen if the cmdlet runs. The cmdlet is not run. + + +SwitchParameter +SwitchParameter + +False + + + + + + + + +Example 1: Back up a secret with an automatically generated file name +PS C:\>Backup-AzureKeyVaultSecret -VaultName 'MyKeyVault' -Name 'MySecret' +This command retrieves the secret named MySecret from the key vault named MyKeyVault and saves a backup of that secret to a file that is automatically named for you, and displays the file name. + + + + + +Example 2: Back up a secret to a specified file name +PS C:\>Backup-AzureKeyVaultSecret -VaultName 'MyKeyVault' -Name 'MySecret' -OutputFile 'C:\Backup.blob' +This command retrieves the secret named MySecret from the key vaultnamed MyKeyVault and saves a backup of that secret to a file named Backup.blob. + + + + + + +Online Version: +http://go.microsoft.com/fwlink/?LinkId=690296 + +Set-AzureKeyVaultSecret + + +Get-AzureKeyVaultSecret + + +Remove-AzureKeyVaultSecret + + +Restore-AzureKeyVaultSecret + + + + + Get-AzureKeyVaultCertificate Get AzureKeyVaultCertificate @@ -1145,6 +1338,8 @@ Created : 2/8/2016 11:21:45 PM Updated : 2/8/2016 11:21:45 PM This command gets the certificate named TestCert01 from the key vault named ContosoKV01. + + @@ -1205,6 +1400,8 @@ Updated : 2/8/2016 11:21:45 PM PS C:\>$Contacts = Get-AzureKeyVaultCertificateContact -VaultName "Contoso" This command gets all of the contacts for the certificate objects in the Contoso key vault, and then stores them in the $Contacts variable. + + @@ -1288,13 +1485,15 @@ ApiKey : OrganizationDetails : Microsoft.Azure.Commands.KeyVault.Models.KeyVaultCertificateOrganizationDetails This command gets the certificate issuer named TestIssuer01. + + -Set-AzureKeyVaultCertificateIssuer +Remove-AzureKeyVaultCertificateIssuer -Remove-AzureKeyVaultCertificateIssuer +Set-AzureKeyVaultCertificateIssuer Set-AzureKeyVaultCertificateIssuer @@ -1379,6 +1578,8 @@ ErrorCode : ErrorMessage : This command gets the status of the certificate operation for TestCert01 on the ContosoKV01 key vault. + + @@ -1473,6 +1674,8 @@ Created : 2/8/2016 11:10:29 PM Updated : 2/8/2016 11:10:29 PM This command gets the certificate policy for TestCert01 certificate in the ContosoKV01 key vault. + + @@ -1492,7 +1695,7 @@ Updated : 2/8/2016 11:10:29 PM -The Get-AzureKeyVaultKey cmdlet gets Azure Key Vault keys. This cmdlet gets a specific Microsoft.Azure.Commands.KeyVault.Models.KeyBundle or a list of all KeyBundle objects in a key vault or by version. +The Get-AzureKeyVaultKey cmdlet gets Azure Key Vault keys. This cmdlet gets a specific Microsoft.Azure.Commands.KeyVault.Models.KeyBundle or a list of all KeyBundle objects in a key vault or by version. Get-AzureKeyVaultKey @@ -1517,7 +1720,7 @@ Updated : 2/8/2016 11:10:29 PM IncludeVersions Indicates that this cmdlet gets all versions of a key. The current version of a key is the first one on the list. If you specify this parameter you must also specify the Name and VaultName parameters. -If you do not specify the IncludeVersions parameter, this cmdlet gets the current version of the key with the specified Name. +If you do not specify the IncludeVersions parameter, this cmdlet gets the current version of the key with the specified Name . SwitchParameter @@ -1558,7 +1761,7 @@ Updated : 2/8/2016 11:10:29 PM IncludeVersions Indicates that this cmdlet gets all versions of a key. The current version of a key is the first one on the list. If you specify this parameter you must also specify the Name and VaultName parameters. -If you do not specify the IncludeVersions parameter, this cmdlet gets the current version of the key with the specified Name. +If you do not specify the IncludeVersions parameter, this cmdlet gets the current version of the key with the specified Name . SwitchParameter @@ -1616,24 +1819,32 @@ Updated : 2/8/2016 11:10:29 PM PS C:\>Get-AzureKeyVaultKey -VaultName 'Contoso' This command gets all the keys in the key vault named Contoso. + + Example 2: Get the current version of a key PS C:\>Get-AzureKeyVaultKey -VaultName 'Contoso' -KeyName 'ITPfx' This command gets the current version of the key named ITPfx in the key vault named Contoso. + + Example 3: Get all versions of a key PS C:\>Get-AzureKeyVaultKey -VaultName 'Contoso' -KeyName 'ITPfx' -IncludeVersions This command gets all versions the key named ITPfx in the key vaultnamed Contoso. + + Example 4: Get a specific version of a key PS C:\>$Key = Get-AzureKeyVaultKey -VaultName 'Contoso' -KeyName 'ITPfx' -Version '5A12A276385949DB8B5F82AFEE85CAED' This command gets a specific version of the key named ITPfx in the key vault named Contoso. After running this command, you can inspect various properties of the key by navigating the $Key object. + + @@ -1684,7 +1895,7 @@ Updated : 2/8/2016 11:10:29 PM IncludeVersions Indicates that this cmdlet gets all versions of a secret. The current version of a secret is the first one on the list. If you specify this parameter you must also specify the Name and VaultName parameters. -If you do not specify the IncludeVersions parameter, this cmdlet gets the current version of the secret with the specified Name. +If you do not specify the IncludeVersions parameter, this cmdlet gets the current version of the secret with the specified Name . SwitchParameter @@ -1725,7 +1936,7 @@ Updated : 2/8/2016 11:10:29 PM IncludeVersions Indicates that this cmdlet gets all versions of a secret. The current version of a secret is the first one on the list. If you specify this parameter you must also specify the Name and VaultName parameters. -If you do not specify the IncludeVersions parameter, this cmdlet gets the current version of the secret with the specified Name. +If you do not specify the IncludeVersions parameter, this cmdlet gets the current version of the secret with the specified Name . SwitchParameter @@ -1783,24 +1994,32 @@ Updated : 2/8/2016 11:10:29 PM PS C:\>Get-AzureKeyVaultSecret -VaultName 'Contoso' This command gets the current versions of all secrets in the key vault named Contoso. + + Example 2: Get all versions of a specific secret PS C:\>Get-AzureKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -IncludeVersions This command gets all versions of the secret named ITSecret in the key vault named Contoso. + + Example 3: Get the current version of a specific secret PS C:\>Get-AzureKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' This command gets the current version of the secret named ITSecret in the key vault named Contoso. + + Example 4: Get a specific version of a specific secret PS C:\>Get-AzureKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -Version '6A12A286385949DB8B5F82AFEF85CAE9' This command gets a specific version of the secret named ITSecret in the key vault named Contoso. + + Example 5: Get the plain text value of the current version of a specific secret @@ -1808,6 +2027,8 @@ Updated : 2/8/2016 11:10:29 PM PS C:\> Write-Host "Secret Value is: " $secret.SecretValueText These commands get the current version of a secret named ITSecret, and then displays the plain text value of that secret. + + @@ -1916,18 +2137,24 @@ PS C:\> Write-Host "Secret Value is: " $secret.SecretValueText PS C:\>Get-AzureRMKeyVault This command gets all the key vaults in your current subscription. + + Example 2: Get a specific key vault PS C:\>$MyVault = Get-AzureRMKeyVault -VaultName 'Contoso03Vault' This command gets the key vault named Contoso03Vault in your current subscription, and then stores it in the $MyVault variable. You can inspect the properties of $MyVault to get details about the key vault. + + Example 3: Get key vaults in a resource group PS C:\>Get-AzureRMKeyVault -ResourceGroupName 'ContosoPayRollResourceGroup' This command gets all the key vaults in the resource group named ContosoPayRollResourceGroup. + + @@ -1954,9 +2181,9 @@ PS C:\> Write-Host "Secret Value is: " $secret.SecretValueText You can create the certificate to import by using one of the following methods: --- Use the Add-AzureKeyVaultCertificate cmdlet to create a certificate signing request and submit it to a certificate authority. +- Use the New-AzureKeyVaultCertificateSigningRequest cmdlet to create a certificate signing request and submit it to a certificate authority. --- Use an existing certificate package file, such as a .pfx or .p12 file, which contains both the certificate and private key. +- Use an existing certificate package file, such as a .pfx or .p12 file, which contains both the certificate and private key. Import-AzureKeyVaultCertificate @@ -1996,7 +2223,7 @@ PS C:\> Write-Host "Secret Value is: " $secret.SecretValueText False Tag -A hashtable representing certificate tags. +Specifies a hash table that contains certificate tags. Hashtable @@ -2059,7 +2286,7 @@ PS C:\> Write-Host "Secret Value is: " $secret.SecretValueText False Tag -A hashtable representing certificate tags. +Specifies a hash table that contains certificate tags. Hashtable @@ -2113,7 +2340,7 @@ PS C:\> Write-Host "Secret Value is: " $secret.SecretValueText False Tag -A hashtable representing certificate tags. +Specifies a hash table that contains certificate tags. Hashtable @@ -2176,7 +2403,7 @@ PS C:\> Write-Host "Secret Value is: " $secret.SecretValueText False Tag -A hashtable representing certificate tags. +Specifies a hash table that contains certificate tags. Hashtable @@ -2258,7 +2485,7 @@ PS C:\> Write-Host "Secret Value is: " $secret.SecretValueText False Tag -A hashtable representing certificate tags. +Specifies a hash table that contains certificate tags. Hashtable @@ -2319,6 +2546,8 @@ Updated : 2/8/2016 11:50:43 PM The second command imports the certificate named ImportCert01 into the CosotosoKV01 key vault. + + @@ -2464,6 +2693,8 @@ Updated : 2/8/2016 11:50:43 PM PS C:\>$AdminDetails = New-AzureKeyVaultCertificateAdministratorDetails -FirstName "Patti" -LastName "Fuller" -EmailAddress "patti.fuller@contoso.com" -PhoneNumber "5553334444" This command creates an in-memory certificate administrator details object, and then stores it in the $AdminDetails variable. + + @@ -2576,6 +2807,8 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A The second command creates a certificate organization details object, and then stores it in the $OrgDetails variable. + + @@ -2660,9 +2893,9 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A KeyType Specifies the key type of the key that backs the certificate. The acceptable values for this parameter are: --- RSA +- RSA --- RSA-HSM +- RSA-HSM RSA @@ -2674,7 +2907,7 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A None KeyUsage -@{Text=} +Specifies the key usages in the certificate. System.Collections.Generic.List`1[System.String] @@ -2711,9 +2944,9 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A SecretContentType Specifies the content type of the new key vault secret. The acceptable values for this parameter are: --- application/x-pkcs12 +- application/x-pkcs12 --- application/x-pem-file +- application/x-pem-file application/x-pkcs12 @@ -2835,9 +3068,9 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A KeyType Specifies the key type of the key that backs the certificate. The acceptable values for this parameter are: --- RSA +- RSA --- RSA-HSM +- RSA-HSM String @@ -2846,7 +3079,7 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A None KeyUsage -@{Text=} +Specifies the key usages in the certificate. System.Collections.Generic.List`1[System.String] @@ -2884,9 +3117,9 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A SecretContentType Specifies the content type of the new key vault secret. The acceptable values for this parameter are: --- application/x-pkcs12 +- application/x-pkcs12 --- application/x-pem-file +- application/x-pem-file String @@ -2950,6 +3183,8 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A PS C:\>New-AzureKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal This command creates a certificate policy that is valid for six months and reuses the key to renew the certificate. + + @@ -2994,7 +3229,7 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A None Location -Specifies the Azure region in which to create the key vault. Use the command Get-AzureLocation to see your choices. For more information, type Get-Help Get-AzureLocation. +Specifies the Azure region in which to create the key vault. Use the command Get-AzureLocation (https://msdn.microsoft.com/ library/azure/mt589064.aspx) to see your choices. For more information, type `Get-Help Get-AzureLocation`. String @@ -3093,7 +3328,7 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A False Location -Specifies the Azure region in which to create the key vault. Use the command Get-AzureLocation to see your choices. For more information, type Get-Help Get-AzureLocation. +Specifies the Azure region in which to create the key vault. Use the command Get-AzureLocation (https://msdn.microsoft.com/ library/azure/mt589064.aspx) to see your choices. For more information, type `Get-Help Get-AzureLocation`. String @@ -3172,12 +3407,16 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A PS C:\>New-AzureRmKeyVault -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -Location 'East US' This command creates a key vault named Contoso03Vault, in the Azure region East US. The command adds the key vault to the resource group named Group14. Because the command does not specify a value for the SKU parameter, it creates a Standard key vault. + + Example 2: Create a Premium key vault PS C:\>New-AzureRmKeyVault -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -Location 'East US' -Sku 'Premium' This command creates a key vault, just like the previous example. However, it specifies a value of Premium for the SKU parameter to create a Premium key vault. + + @@ -3239,7 +3478,7 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A False Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -3293,7 +3532,7 @@ $OrgDetails = New-AzureKeyVaultCertificateOrganizationDetails -Name "Contoso" -A None Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -3334,6 +3573,8 @@ Created : 2/8/2016 11:29:33 PM Updated : 2/8/2016 11:29:33 PM This command removes the certificate named SelfSigned01 from the key vault named ContosoKV01. This command specifies the Force parameter. Therefore, the cmdlet does not prompt you for confirmation. + + @@ -3460,6 +3701,8 @@ Updated : 2/8/2016 11:29:33 PM PS C:\>Remove-AzureKeyVaultCertificateContact -VaultName "Contoso01" -EmailAddress "patti.fuller@contoso.com" This command removes Patti Fuller as a certificate contact for the Contoso01 key vault. + + @@ -3518,7 +3761,7 @@ Updated : 2/8/2016 11:29:33 PM False Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -3572,7 +3815,7 @@ Updated : 2/8/2016 11:29:33 PM None Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -3600,13 +3843,15 @@ Updated : 2/8/2016 11:29:33 PM PS C:\>Remove-AzureKeyVaultCertificateIssuer -VaultName "ContosoKV01" -Name "TestIssuer01" -Force This command removes the certificate issuer named TestIssuer01 from the ContosoKV01 key vault. + + -Set-AzureKeyVaultCertificateIssuer +Get-AzureKeyVaultCertificateIssuer -Get-AzureKeyVaultCertificateIssuer +Set-AzureKeyVaultCertificateIssuer Set-AzureKeyVaultCertificateIssuer @@ -3661,7 +3906,7 @@ Updated : 2/8/2016 11:29:33 PM False Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -3715,7 +3960,7 @@ Updated : 2/8/2016 11:29:33 PM None Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -3743,6 +3988,8 @@ Updated : 2/8/2016 11:29:33 PM PS C:\>Remove-AzureKeyVaultCertificateOperation -VaultName "ContosoKV01" -Name "TestCert01" -Force This command removes the certificate operation named TestCert01 from the ContosoKV01 key vault without prompting for confirmation. + + @@ -3758,152 +4005,219 @@ Updated : 2/8/2016 11:29:33 PM Remove-AzureKeyVaultKey Remove AzureKeyVaultKey -Deletes a key in a key vault. - - +Deletes a key in a key vault. -The Remove-AzureKeyVaultKey cmdlet deletes a key in a key vault. This cmdlet has a value of high for the ConfirmImpact property. - - -Remove-AzureKeyVaultKey -VaultName -Specifies the name of the key vault from which to remove the key. This cmdlet constructs the FQDN of a key vault based on the name that this parameter specifies and your current environment. - - -String -String - +The Remove-AzureKeyVaultKey cmdlet deletes a key in a key vault. This cmdlet has a value of high for the ConfirmImpact property. + + +Remove-AzureKeyVaultKey + +VaultName + Specifies the name of the key vault from which to remove the key. This cmdlet constructs the FQDN of a key vault based on the name that this parameter specifies and your current environment. +String + +String + + None -Name -Specifies the name of the key to remove. This cmdlet constructs the fully qualified domain name (FQDN) of a key based on the name that this parameter specifies, the name of the key vault, and your current environment. - - + +Name + Specifies the name of the key to remove. This cmdlet constructs the fully qualified domain name (FQDN) of a key based on the name that this parameter specifies, the name of the key vault, and your current environment. String -String - + +String + + None -Force -Forces the command to run without asking for user confirmation. + +Force + + + Forces the command to run without asking for user confirmation. -SwitchParameter - + +SwitchParameter + + False -PassThru -Indicates that this cmdlet returns a Microsoft.Azure.Commands.KeyVault.Models.KeyBundle object. By default, this cmdlet does not generate any output. + +PassThru + + + Indicates that this cmdlet returns a Microsoft.Azure.Commands.KeyVault.Models.KeyBundle object. By default, this cmdlet does not generate any output. -SwitchParameter - + +SwitchParameter + + False -Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. + +Confirm + + + Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. -SwitchParameter - + +SwitchParameter + + False -WhatIf -Shows what would happen if the cmdlet runs. The cmdlet is not run.Shows what would happen if the cmdlet runs. The cmdlet is not run. + +WhatIf + + + Shows what would happen if the cmdlet runs. The cmdlet is not run.Shows what would happen if the cmdlet runs. The cmdlet is not run. -SwitchParameter - + +SwitchParameter + + False -Force -Forces the command to run without asking for user confirmation. + + +Force + + +Forces the command to run without asking for user confirmation. SwitchParameter -SwitchParameter - + +SwitchParameter + + False -Name -Specifies the name of the key to remove. This cmdlet constructs the fully qualified domain name (FQDN) of a key based on the name that this parameter specifies, the name of the key vault, and your current environment. + +Name + + +Specifies the name of the key to remove. This cmdlet constructs the fully qualified domain name (FQDN) of a key based on the name that this parameter specifies, the name of the key vault, and your current environment. String -String - + +String + + None -PassThru -Indicates that this cmdlet returns a Microsoft.Azure.Commands.KeyVault.Models.KeyBundle object. By default, this cmdlet does not generate any output. + +PassThru + + +Indicates that this cmdlet returns a Microsoft.Azure.Commands.KeyVault.Models.KeyBundle object. By default, this cmdlet does not generate any output. SwitchParameter -SwitchParameter - + +SwitchParameter + + False -VaultName -Specifies the name of the key vault from which to remove the key. This cmdlet constructs the FQDN of a key vault based on the name that this parameter specifies and your current environment. + +VaultName + + +Specifies the name of the key vault from which to remove the key. This cmdlet constructs the FQDN of a key vault based on the name that this parameter specifies and your current environment. String -String - + +String + + None -Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. + +Confirm + + +Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. SwitchParameter -SwitchParameter - + +SwitchParameter + + False -WhatIf -Shows what would happen if the cmdlet runs. The cmdlet is not run.Shows what would happen if the cmdlet runs. The cmdlet is not run. + +WhatIf + + +Shows what would happen if the cmdlet runs. The cmdlet is not run.Shows what would happen if the cmdlet runs. The cmdlet is not run. SwitchParameter -SwitchParameter - + +SwitchParameter + + False -String + + + +String - + + -Microsoft.Azure.Commands.KeyVault.Models.KeyBundle + + + +Microsoft.Azure.Commands.KeyVault.Models.KeyBundle -This cmdlet returns a value only if you specify the PassThru parameter. + + +This cmdlet returns a value only if you specify the PassThru parameter. - + + + -Example 1: Remove a key from a key vault + + +Example 1: Remove a key from a key vault PS C:\>Remove-AzureKeyVaultKey -VaultName 'Contoso' -Name 'ITSoftware' -This command removes the key named ITSoftware from the key vault named Contoso. + + +This command removes the key named ITSoftware from the key vault named Contoso. - - -Example 2: Remove a key without user confirmation +Example 2: Remove a key without user confirmation PS C:\>Remove-AzureKeyVaultKey -VaultName 'Contoso' -Name 'ITSoftware' -Force -Confirm:$False -This command removes the key named ITSoftware from the key vault named Contoso. The command specifies the Force and Confirm parameters, and, therefore, the cmdlet does not prompt you for confirmation. + + +This command removes the key named ITSoftware from the key vault named Contoso. The command specifies the Force and Confirm parameters, and, therefore, the cmdlet does not prompt you for confirmation. -Example 3: Remove keys by using the pipeline operator + +Example 3: Remove keys by using the pipeline operator PS C:\>Get-AzureKeyVaultKey -VaultName 'Contoso' | Where-Object {$_.Attributes.Enabled -eq $False} | Remove-AzureKeyVaultKey This command gets all the keys in the key vault named Contoso, and passes them to the Where-Object cmdlet by using the pipeline operator. That cmdlet passes the keys that have a value of $False for the Enabled attribute to the current cmdlet. That cmdlet removes those keys. @@ -3971,7 +4285,7 @@ Updated : 2/8/2016 11:29:33 PM False Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -4025,7 +4339,7 @@ Updated : 2/8/2016 11:29:33 PM None Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -4065,12 +4379,16 @@ Updated : 2/8/2016 11:29:33 PM PS C:\>Remove-AzureKeyVaultSecret -VaultName 'Contoso' -Name 'FinanceSecret' This command removes the secret named FinanceSecret from the key vault named Contoso.' + + Example 2: Remove a secret from a key vault without user confirmation PS C:\>Remove-AzureKeyVaultSecret -VaultName 'Contoso' -Name 'FinanceSecret' -Force -Confirm:$False This command removes the secret named FinanceSecret from the key vault named Contoso. The command specifies the Force and Confirm parameters, and, therefore, the cmdlet does not prompt you for confirmation. + + @@ -4126,7 +4444,7 @@ Updated : 2/8/2016 11:29:33 PM False Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -4171,7 +4489,7 @@ Updated : 2/8/2016 11:29:33 PM None Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -4199,12 +4517,16 @@ Updated : 2/8/2016 11:29:33 PM PS C:\>Remove-AzureRmKeyVault -VaultName "Contoso03Vault" This command removes the key vault named Contoso03Vault from your current subscription. + + Example 2: Remove a key vault from a specified resource group PS C:\>Remove-AzureRmKeyVault -VaultName "Contoso03Vault" -ResourceGroupName "Group14" This command removes the key vault named Contoso03Vault from the named resource group. If you do not specify the resource group name, the cmdlet searches for the named key vault to delete in your current subscription. + + @@ -4227,7 +4549,7 @@ Updated : 2/8/2016 11:29:33 PM -The Remove-AzureRmKeyVaultAccessPolicy cmdlet removes all permissions for a user or application or for all users and applications from a key vault.. Even if you remove all permissions, the owner of the Azure subscription that contains the key vault can add permissions to the key vault. +The Remove-AzureRmKeyVaultAccessPolicy cmdlet removes all permissions for a user or application or for all users and applications from a key vault. Even if you remove all permissions, the owner of the Azure subscription that contains the key vault can add permissions to the key vault. Note that although specifying the resource group is optional for this cmdlet, you should do so for better performance. @@ -4594,24 +4916,32 @@ Updated : 2/8/2016 11:29:33 PM PS C:\>Remove-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' This command removes all the permissions that a user PattiFuller@contoso.com has on the key vault named Contoso03Vault. + + Example 2: Remove permissions for an application PS C:\>Remove-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ServicePrincipalName 'http://payroll.contoso.com' This command removes all the permissions that an application has on the key vault named Contoso03Vault. This example identifies the application by using the service principal name registered in Azure Active Directory, http://payroll.contoso.com. + + Example 3: Remove permissions for an application by using its object ID PS C:\>Remove-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectID 34595082-9346-41b6-8d6b-295a2808b8db This command removes all the permissions that an application has on the key vault named Contoso03Vault. This example identifies the application by the object ID of the service principal. + + Example 4: Remove permissions for the Microsoft.Compute resource provider PS C:\>Remove-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -EnabledForDeployment This command removes permission for the Microsoft.Compute resource provider to get secrets from the Contoso03Vault. + + @@ -4720,6 +5050,8 @@ Updated : 2/8/2016 11:29:33 PM PS C:\>Restore-AzureKeyVaultKey -VaultName 'MyKeyVault' -InputFile "C:\Backup.blob" This command restores a key, including all of its versions, from the backup file named Backup.blob into the key vault named MyKeyVault. + + @@ -4741,6 +5073,125 @@ Updated : 2/8/2016 11:29:33 PM +Restore-AzureKeyVaultSecret +Restore +AzureKeyVaultSecret +Creates a secret in a key vault from a backed-up secret. + + + +The Restore-AzureKeyVaultSecret cmdlet creates a secret in the specified key vault. This secret is a replica of the backed-up secret in the input file and has the same name as the original secret. If the key vault already has a secret by the same name, this cmdlet fails instead of overwriting the original secret. If the backup contains multiple versions of a secret, all versions are restored. + +The key vault that you restore the secret into can be different from the key vault that you backed up the secret from. However, the key vault must use the same subscription and be in an Azure region in the same geography (for example, North America). See the Microsoft Azure Trust Center (https://azure.microsoft.com/support/trust-center/) for the mapping of Azure regions to geographies. + + +Restore-AzureKeyVaultSecret +VaultName +Specifies the name of the key vault into which to restore the secret. + + +String +String + +None + +InputFile +Specifies the input file that contains the backup of the secret to restore. + + +String +String + +None + +Confirm +Prompts you for confirmation before running the cmdlet. + + +SwitchParameter + +False + +WhatIf +Shows what would happen if the cmdlet runs. The cmdlet is not run. + + +SwitchParameter + +False + + + +InputFile +Specifies the input file that contains the backup of the secret to restore. + + +String +String + +None + +VaultName +Specifies the name of the key vault into which to restore the secret. + + +String +String + +None + +Confirm +Prompts you for confirmation before running the cmdlet. + + +SwitchParameter +SwitchParameter + +False + +WhatIf +Shows what would happen if the cmdlet runs. The cmdlet is not run. + + +SwitchParameter +SwitchParameter + +False + + + + + + + + +Example 1: Restore a backed-up secret +PS C:\>Restore-AzureKeyVaultSecret -VaultName 'MyKeyVault' -InputFile "C:\Backup.blob" +This command restores a secret, including all of its versions, from the backup file named Backup.blob into the key vault named MyKeyVault. + + + + + + +Online Version: +http://go.microsoft.com/fwlink/?LinkId=690301 + +Set-AzureKeyVaultSecret + + +Backup-AzureKeyVaultSecret + + +Get-AzureKeyVaultSecret + + +Remove-AzureKeyVaultSecret + + + + + Set-AzureKeyVaultCertificateAttribute Set AzureKeyVaultCertificateAttribute @@ -4805,7 +5256,7 @@ Updated : 2/8/2016 11:29:33 PM False Tag -A hashtable representing certificate tags. If not specified, the existing tags of the sertificate remain unchanged. Remove a tag by specifying an empty Hashtable. +Specifies a hash table that contains certificate tags. If not specified, the existing tags of the sertificate remain unchanged. Remove a tag by specifying an empty Hashtable. Hashtable @@ -4878,7 +5329,7 @@ Updated : 2/8/2016 11:29:33 PM False Tag -A hashtable representing certificate tags. If not specified, the existing tags of the sertificate remain unchanged. Remove a tag by specifying an empty Hashtable. +Specifies a hash table that contains certificate tags. If not specified, the existing tags of the sertificate remain unchanged. Remove a tag by specifying an empty Hashtable. Hashtable @@ -4939,6 +5390,8 @@ Updated : 8/1/2016 5:37:48 PM The final command displays the TestCert01 certificate by using the Get-AzureKeyVaultCertificate cmdlet to verify the operation. + + @@ -5196,6 +5649,8 @@ Updated : 8/1/2016 5:37:48 PM PS C:\>$Issuer = Set-AzureKeyVaultCertificateIssuer -VaultName "Contosokv01" -Name "TestIssuer01" -IssuerProvider "Test" -AccountId "555" -ApiKey $Password -OrganizationDetails $OrgDetails -PassThru This command sets the properties for a certificate issuer, and then stores it in the $Issuer variable. + + @@ -5267,9 +5722,9 @@ Updated : 8/1/2016 5:37:48 PM KeyType Specifies the key type of the key that backs the certificate. The acceptable values for this parameter are: --- RSA +- RSA --- RSA-HSM +- RSA-HSM RSA @@ -5388,9 +5843,9 @@ Updated : 8/1/2016 5:37:48 PM KeyType Specifies the key type of the key that backs the certificate. The acceptable values for this parameter are: --- RSA +- RSA --- RSA-HSM +- RSA-HSM RSA @@ -5402,7 +5857,7 @@ Updated : 8/1/2016 5:37:48 PM None KeyUsage -@{Text=} +Specifies the key usages in the certificate. System.Collections.Generic.List`1[System.String] @@ -5448,9 +5903,9 @@ Updated : 8/1/2016 5:37:48 PM SecretContentType Specifies the content type of the new key vault secret. The acceptable values for this parameter are: --- application/x-pkcs12 +- application/x-pkcs12 --- application/x-pem-file +- application/x-pem-file application/x-pkcs12 @@ -5581,9 +6036,9 @@ Updated : 8/1/2016 5:37:48 PM KeyType Specifies the key type of the key that backs the certificate. The acceptable values for this parameter are: --- RSA +- RSA --- RSA-HSM +- RSA-HSM String @@ -5592,7 +6047,7 @@ Updated : 8/1/2016 5:37:48 PM None KeyUsage -@{Text=} +Specifies the key usages in the certificate. System.Collections.Generic.List`1[System.String] @@ -5648,9 +6103,9 @@ Updated : 8/1/2016 5:37:48 PM SecretContentType Specifies the content type of the new key vault secret. The acceptable values for this parameter are: --- application/x-pkcs12 +- application/x-pkcs12 --- application/x-pem-file +- application/x-pem-file String @@ -5729,6 +6184,8 @@ Updated : 8/1/2016 5:37:48 PM PS C:\>Set-AzureKeyVaultCertificatePolicy -VaultName "ContosoKV01" -Name "TestCert01" -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal $True This command sets the policy for the TestCert01 certificate in the ContosoKV01 key vault. + + @@ -5789,7 +6246,7 @@ Updated : 8/1/2016 5:37:48 PM None Expires -Specifies the expiration time, as a DateTime object, for the key that this cmdlet updates. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type Get-Help Get-Date. +Specifies the expiration time, as a DateTime object, for the key that this cmdlet updates. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type `Get-Help Get-Date`. DateTime @@ -5802,21 +6259,21 @@ Updated : 8/1/2016 5:37:48 PM The acceptable values for this parameter are a comma-separated list of key operations as defined by the JSON Web Key specification. These values (case-sensitive) are: --- encrypt +- encrypt --- decrypt +- decrypt --- wrap +- wrap --- unwrap +- unwrap --- sign +- sign --- verify +- verify --- backup +- backup --- restore +- restore String[] @@ -5850,7 +6307,7 @@ Updated : 8/1/2016 5:37:48 PM False Tag -A hashtable represents key tags. If not specified, the existings tags of the key remain unchanged. +Specifies a hash table that contains certificate tags. If not specified, the existings tags of the key remain unchanged. Hashtable @@ -5878,7 +6335,7 @@ Updated : 8/1/2016 5:37:48 PM None Expires -Specifies the expiration time, as a DateTime object, for the key that this cmdlet updates. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type Get-Help Get-Date. +Specifies the expiration time, as a DateTime object, for the key that this cmdlet updates. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type `Get-Help Get-Date`. DateTime @@ -5891,21 +6348,21 @@ Updated : 8/1/2016 5:37:48 PM The acceptable values for this parameter are a comma-separated list of key operations as defined by the JSON Web Key specification. These values (case-sensitive) are: --- encrypt +- encrypt --- decrypt +- decrypt --- wrap +- wrap --- unwrap +- unwrap --- sign +- sign --- verify +- verify --- backup +- backup --- restore +- restore String[] @@ -5968,7 +6425,7 @@ Updated : 8/1/2016 5:37:48 PM False Tag -A hashtable represents key tags. If not specified, the existings tags of the key remain unchanged. +Specifies a hash table that contains certificate tags. If not specified, the existings tags of the key remain unchanged. Hashtable @@ -6008,18 +6465,22 @@ Updated : 8/1/2016 5:37:48 PM PS C:\>$Expires = (Get-Date).AddYears(2).ToUniversalTime() PS C:\> $Tags = @{'Severity' = 'high'; 'Accounting' = null} PS C:\> Set-AzureKeyVaultKeyAttribute -VaultName 'Contoso' -Name 'ITSoftware' -Expires $Expires -Enable $True -Tags $Tags -PassThru -The first command creates a DateTime object by using the Get-Date cmdlet. That object specifies a time two years in the future. The command stores that date in the $Expires variable. For more information, type Get-Help Get-Date. +The first command creates a DateTime object by using the Get-Date cmdlet. That object specifies a time two years in the future. The command stores that date in the $Expires variable. For more information, type `Get-Help Get-Date`. The second command creates a variable to store tag values of high severity and Accounting. The final command modifies a key named ITSoftware. The command enables the key, sets its expiration time to the time stored in $Expires, and sets the tags that are stored in $Tags. + + Example 2: Modify a key to delete all tags PS C:\>Set-AzureKeyVaultKeyAttribute -VaultName 'Contoso' -Name 'ITSoftware' -Version '7EEA45C6EE50490B9C3176F80AC1A0DG' -Tags @{} This commands deletes all tags for a specific version of a key named ITSoftware. + + @@ -6068,7 +6529,7 @@ PS C:\> Set-AzureKeyVaultKeyAttribute -VaultName 'Contoso' -Name 'ITSoftware' None SecretValue -Specifies the value for the secret as a SecureString object. To obtain a SecureString object, use the ConvertTo-SecureString cmdlet. For more information, type Get-Help ConvertTo-SecureString. +Specifies the value for the secret as a SecureString object. To obtain a SecureString object, use the ConvertTo-SecureString cmdlet. For more information, type `Get-Help ConvertTo-SecureString`. SecureString @@ -6094,7 +6555,7 @@ PS C:\> Set-AzureKeyVaultKeyAttribute -VaultName 'Contoso' -Name 'ITSoftware' False Expires -Specifies the expiration time, as a DateTime object, for the secret that this cmdlet updates. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type Get-Help Get-Date. +Specifies the expiration time, as a DateTime object, for the secret that this cmdlet updates. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type `Get-Help Get-Date`. DateTime @@ -6120,7 +6581,7 @@ PS C:\> Set-AzureKeyVaultKeyAttribute -VaultName 'Contoso' -Name 'ITSoftware' False Tag -A hashtable representing secret tags. +Specifies a hash table that contains certificate tags. Hashtable @@ -6157,7 +6618,7 @@ PS C:\> Set-AzureKeyVaultKeyAttribute -VaultName 'Contoso' -Name 'ITSoftware' False Expires -Specifies the expiration time, as a DateTime object, for the secret that this cmdlet updates. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type Get-Help Get-Date. +Specifies the expiration time, as a DateTime object, for the secret that this cmdlet updates. This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the Get-Date cmdlet. For more information, type `Get-Help Get-Date`. DateTime @@ -6184,7 +6645,7 @@ PS C:\> Set-AzureKeyVaultKeyAttribute -VaultName 'Contoso' -Name 'ITSoftware' None SecretValue -Specifies the value for the secret as a SecureString object. To obtain a SecureString object, use the ConvertTo-SecureString cmdlet. For more information, type Get-Help ConvertTo-SecureString. +Specifies the value for the secret as a SecureString object. To obtain a SecureString object, use the ConvertTo-SecureString cmdlet. For more information, type `Get-Help ConvertTo-SecureString`. SecureString @@ -6211,7 +6672,7 @@ PS C:\> Set-AzureKeyVaultKeyAttribute -VaultName 'Contoso' -Name 'ITSoftware' False Tag -A hashtable representing secret tags. +Specifies a hash table that contains certificate tags. Hashtable @@ -6250,10 +6711,12 @@ PS C:\> Set-AzureKeyVaultKeyAttribute -VaultName 'Contoso' -Name 'ITSoftware' Example 1: Modify the value of a secret using default attributes PS C:\>$Secret = ConvertTo-SecureString -String 'Password' -AsPlainText -Force PS C:\> Set-AzureKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -SecretValue $Secret -The first command converts a string into a secure string by using the ConvertTo-SecureString cmdlet, and then stores that string in the $Secret variable. For more information, type Get-Help ConvertTo-SecureString. +The first command converts a string into a secure string by using the ConvertTo-SecureString cmdlet, and then stores that string in the $Secret variable. For more information, type `Get-Help ConvertTo-SecureString`. The second command modifies value of the secret named ITSecret in the key vault named Contoso. The secret value becomes the value stored in $Secret. + + Example 2: Modify the value of a secret using custom attributes @@ -6263,12 +6726,14 @@ PS C:\> $NBF =(Get-Date).ToUniversalTime() PS C:\> $Tags = @{ 'Severity' = 'medium'; 'IT' = null } PS C:\> $ContentType = 'txt' PS C:\> Set-AzureKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -SecretValue $Secret -Expires $Expires -NotBefore $NBF -ContentType $ContentType -Disable $False -Tags $Tags -The first command converts a string into a secure string by using the ConvertTo-SecureString cmdlet, and then stores that string in the $Secret variable. For more information, type Get-Help ConvertTo-SecureString. +The first command converts a string into a secure string by using the ConvertTo-SecureString cmdlet, and then stores that string in the $Secret variable. For more information, type `Get-Help ConvertTo-SecureString`. The next commands define custom attributes for the expiry date, tags, and context type, and store the attributes in variables. The final command modifies values of the secret named ITSecret in the key vault named Contoso, by using the values specified previously as variables. + + @@ -6375,7 +6840,7 @@ PS C:\> Set-AzureKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -Secret False Tag -A hashtable representing secret tags. If not specified, the existing tags of the secret remain unchanged. Remove a tag by specifying an empty Hashtable. +Specifies a hash table that contains certificate tags. If not specified, the existing tags of the secret remain unchanged. Remove a tag by specifying an empty Hashtable. Hashtable @@ -6475,7 +6940,7 @@ PS C:\> Set-AzureKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -Secret False Tag -A hashtable representing secret tags. If not specified, the existing tags of the secret remain unchanged. Remove a tag by specifying an empty Hashtable. +Specifies a hash table that contains certificate tags. If not specified, the existing tags of the secret remain unchanged. Remove a tag by specifying an empty Hashtable. Hashtable @@ -6521,12 +6986,16 @@ PS C:\> Set-AzureKeyVaultSecretAttribute -VaultName 'ContosoVault' -Name 'HR' The final command modifies the attributes for the secret named HR in the key vault named ContosoVault, using the stored variables. + + Example 2: Delete the tags and content type for a secret PS C:\>Set-AzureKeyVaultSecretAttribute -VaultName 'ContosoVault' -Name 'HR' -Version '9EEA45C6EE50490B9C3176A80AC1A0DF' -ContentType '' -Tags -@{} This command deletes the tags and the content type for the specified version of the secret named HR in the key vault named Contoso. + + Example 3: Disable the current version of secrets whose name begins with IT @@ -6539,6 +7008,8 @@ PS C:\> Get-AzureKeyVaultSecret $Vault | Where-Object {$_.Name -like $Prefix The third command uses the Get-AzureKeyVaultSecret cmdlet to get the secrets in the specified key vault, and then passes those secrets to the Where-Object cmdlet. The Where-Object cmdlet filters the secrets for names that begin with the characters IT. The command pipes the secrets that match the filter to the Set-AzureKeyVaultSecretAttribute cmdlet, which disables them. + + Example 4: Set the ContentType for all versions of a secret @@ -6546,8 +7017,10 @@ PS C:\> Get-AzureKeyVaultSecret $Vault | Where-Object {$_.Name -like $Prefix PS C:\> $Name = 'HR' PS C:\> $ContentType = 'xml' PS C:\> Get-AzureKeyVaultKey -VaultName $VaultName -Name $Name -IncludeVersions | Set-AzureKeyVaultSecretAttribute -ContentType $ContentType -The first three commands define string variables to use for the VaultName, Name, and ContentType parameters. The fourth command uses the Get-AzureKeyVaultKey cmdlet to get the specified keys, and pipes the keys to the Set-AzureKeyVaultSecretAttribute cmdlet to set their content type to XML. +The first three commands define string variables to use for the VaultName , Name , and ContentType parameters. The fourth command uses the Get-AzureKeyVaultKey cmdlet to get the specified keys, and pipes the keys to the Set-AzureKeyVaultSecretAttribute cmdlet to set their content type to XML. + + @@ -6577,15 +7050,15 @@ PS C:\> Get-AzureKeyVaultKey -VaultName $VaultName -Name $Name -IncludeVersio If you are setting permissions for a security group, this operation affects only users in that security group. -The following directories must all be the same Azure directory: -- The default directory of the Azure subscription in which the key vault resides. +The following directories must all be the same Azure directory: - The default directory of the Azure subscription in which the key vault resides. --- The Azure directory that contains the user or application group that you are granting permissions to. +- The Azure directory that contains the user or application group that you are granting permissions to. Examples of scenarios when these conditions are not met and this cmdlet will not work are: --- Authorizing a user from a different organization to manage your key vault. Each organization has its own directory. -- Your Azure account has multiple directories. If you register an application in a directory other than the default directory, you cannot authorize that application to use your key vault. The application must be in the default directory. +- Authorizing a user from a different organization to manage your key vault. Each organization has its own directory. - Your Azure account has multiple directories. If you register an application in a directory other than the default directory, you cannot authorize that application to use your key vault. The application must be in the default directory. Note that although specifying the resource group is optional for this cmdlet, you should do so for better performance. @@ -6668,35 +7141,35 @@ PS C:\> Get-AzureKeyVaultKey -VaultName $VaultName -Name $Name -IncludeVersio PermissionsToKeys Specifies an array of key operation permissions to grant to a user or service principal. The acceptable values for this parameter are: --- Decrypt +- Decrypt --- Encrypt +- Encrypt --- UnwrapKey +- UnwrapKey --- WrapKey +- WrapKey --- Verify +- Verify --- Sign +- Sign --- Get +- Get --- List +- List --- Update +- Update --- Create +- Create --- Import +- Import --- Delete +- Delete --- Backup +- Backup --- Restore +- Restore --- All +- All decrypt @@ -6723,21 +7196,23 @@ PS C:\> Get-AzureKeyVaultKey -VaultName $VaultName -Name $Name -IncludeVersio PermissionsToSecrets Specifies an array of secret operation permissions to grant to a user or service principal. The acceptable values for this parameter are: --- Get +- Get --- List +- List --- Set +- Set --- Delete +- Delete --- All +- All get list set delete +backup +restore all String[] @@ -6882,35 +7357,35 @@ PS C:\> Get-AzureKeyVaultKey -VaultName $VaultName -Name $Name -IncludeVersio PermissionsToKeys Specifies an array of key operation permissions to grant to a user or service principal. The acceptable values for this parameter are: --- Decrypt +- Decrypt --- Encrypt +- Encrypt --- UnwrapKey +- UnwrapKey --- WrapKey +- WrapKey --- Verify +- Verify --- Sign +- Sign --- Get +- Get --- List +- List --- Update +- Update --- Create +- Create --- Import +- Import --- Delete +- Delete --- Backup +- Backup --- Restore +- Restore --- All +- All decrypt @@ -6937,21 +7412,27 @@ PS C:\> Get-AzureKeyVaultKey -VaultName $VaultName -Name $Name -IncludeVersio PermissionsToSecrets Specifies an array of secret operation permissions to grant to a user or service principal. The acceptable values for this parameter are: --- Get +- Get --- List +- List --- Set +- Set --- Delete +- Delete --- All +- Backup + +- Restore + +- All get list set delete +backup +restore all String[] @@ -7037,35 +7518,35 @@ PS C:\> Get-AzureKeyVaultKey -VaultName $VaultName -Name $Name -IncludeVersio PermissionsToKeys Specifies an array of key operation permissions to grant to a user or service principal. The acceptable values for this parameter are: --- Decrypt +- Decrypt --- Encrypt +- Encrypt --- UnwrapKey +- UnwrapKey --- WrapKey +- WrapKey --- Verify +- Verify --- Sign +- Sign --- Get +- Get --- List +- List --- Update +- Update --- Create +- Create --- Import +- Import --- Delete +- Delete --- Backup +- Backup --- Restore +- Restore --- All +- All decrypt @@ -7092,15 +7573,15 @@ PS C:\> Get-AzureKeyVaultKey -VaultName $VaultName -Name $Name -IncludeVersio PermissionsToSecrets Specifies an array of secret operation permissions to grant to a user or service principal. The acceptable values for this parameter are: --- Get +- Get --- List +- List --- Set +- Set --- Delete +- Delete --- All +- All get @@ -7216,35 +7697,35 @@ PS C:\> Get-AzureKeyVaultKey -VaultName $VaultName -Name $Name -IncludeVersio PermissionsToKeys Specifies an array of key operation permissions to grant to a user or service principal. The acceptable values for this parameter are: --- Decrypt +- Decrypt --- Encrypt +- Encrypt --- UnwrapKey +- UnwrapKey --- WrapKey +- WrapKey --- Verify +- Verify --- Sign +- Sign --- Get +- Get --- List +- List --- Update +- Update --- Create +- Create --- Import +- Import --- Delete +- Delete --- Backup +- Backup --- Restore +- Restore --- All +- All String[] @@ -7255,15 +7736,19 @@ PS C:\> Get-AzureKeyVaultKey -VaultName $VaultName -Name $Name -IncludeVersio PermissionsToSecrets Specifies an array of secret operation permissions to grant to a user or service principal. The acceptable values for this parameter are: --- Get +- Get + +- List + +- Set --- List +- Delete --- Set +- Backup --- Delete +- Restore --- All +- All String[] @@ -7354,30 +7839,40 @@ PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrin The final command further modifies the existing permissions for PattiFuller@contoso.com to remove all permissions to key operations. The permissions to secret operations remain unchanged after this command. The PassThru parameter results in the updated object being returned by the cmdlet. + + Example 2: Grant permissions for an application service principal to read and write secrets PS C:\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ServicePrincipalName 'http://payroll.contoso.com' -PermissionsToSecrets 'Get,Set' This command grants permissions for an application for a key vault named Contoso03Vault. The ServicePrincipalName parameter specifies the application. The application must be registered in your Azure Active Directory. The value of the ServicePrincipalName parameter must be either the service principal name of the application or the application ID GUID. This example specifies the service principal name http://payroll.contoso.com, and the command grants the application permissions to read and write secrets. + + Example 3: Grant permissions for an application using its object ID PS C:\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets 'Get,Set' This command grants the application permissions to read and write secrets. This example specifies the application using the object ID of the service principal of the application. + + Example 4: Grant permissions for a user principal name PS C:\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -UserPrincipalName 'PattiFuller@contoso.com' -PermissionsToSecrets 'Get,List,Set' This command grants get, list, and set permissions for the specified user principal name for access to secrets. + + Example 5: Enable secrets to be retrieved from a key vault vault by the Microsoft.Compute resource providerkey vault PS C:\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -EnabledForDeployment This command grants the permissions for secrets to be retrieved from the Contoso03Vault key vault by the Microsoft.Compute resource provider. + + Example 6: Grant permissions to a security group @@ -7388,10 +7883,20 @@ DisplayName Type ObjectId group1 96a0daa6-9841-4a9c-bdeb-e7062276c688 group2 b8a401eb-63ad-4a30-b0e1-a7461969fe54 group3 da07a6be-2c1e-4e42-934d-ceb57cf652b4 -The first command uses the Get-AzureRmADGroup cmdlet to get all Active Directory groups. From the output, you see 3 groups returned, named group1, group2, and group3. Multiple groups can have the same name but always have a unique ObjectId. When more than one group that has the same name is returned, use the ObjectId in the output to identify the one you want to use. +The first command uses the Get-AzureRmADGroup cmdlet to get all Active Directory groups. From the output, you see 3 groups returned, named group1 , group2 , and group3 . Multiple groups can have the same name but always have a unique ObjectId. When more than one group that has the same name is returned, use the ObjectId in the output to identify the one you want to use. -You then use the output of this command with Set-AzureRmKeyVaultAccessPolicy to grant permissions to group2 for your key vault, named myownvault. This example enumerates the groups named 'group2' inline in the same command line. There may be multiple groups in the returned list that are named 'group2'. This example picks the first one, indicated by index [0] in the returned list. +You then use the output of this command with Set-AzureRmKeyVaultAccessPolicy to grant permissions to group2 for your key vault, named myownvault . This example enumerates the groups named 'group2' inline in the same command line. There may be multiple groups in the returned list that are named 'group2'. This example picks the first one, indicated by index [0] in the returned list. + + + + +Example 7: Grant Azure Information Protection access to the customer-managed tenant key (BYOK) +PS C:\>Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso04Vault' -ServicePrincipalName 00000012-0000-0000-c000-000000000000 -PermissionsToKeys decrypt,encrypt,unwrapkey,wrapkey,verify,sign,get +This command authorizes Azure Information Protection to use a customer-managed key (the bring your own key, or "BYOK" scenario) as the Azure Information Protection tenant key. When you run this command, specify your own vault name but you must specify the ServicePrincipalName parameter with the GUID 00000012-0000-0000-c000-000000000000 and specify all the permissions in the example. + + + @@ -7445,7 +7950,7 @@ group3 da07a6be-2c1e-4e42 False Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -7490,7 +7995,7 @@ group3 da07a6be-2c1e-4e42 None Confirm -Prompts you for confirmation before running the cmdlet.Prompts you for confirmation before running the cmdlet. +Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -7534,6 +8039,8 @@ ErrorCode : ErrorMessage : This command cancels the TestCert02 certificate operation. + + @@ -7545,4 +8052,4 @@ ErrorMessage : - + \ No newline at end of file diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/Models/IKeyVaultDataServiceClient.cs b/src/ResourceManager/KeyVault/Commands.KeyVault/Models/IKeyVaultDataServiceClient.cs index 4afbc7f0648e..b724361efd52 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault/Models/IKeyVaultDataServiceClient.cs +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/Models/IKeyVaultDataServiceClient.cs @@ -52,6 +52,10 @@ public interface IKeyVaultDataServiceClient KeyBundle RestoreKey(string vaultName, string inputBlobPath); + string BackupSecret(string vaultName, string secretName, string outputBlobPath); + + Secret RestoreSecret(string vaultName, string inputBlobPath); + #region Certificate actions Contacts SetCertificateContacts(string vaultName, Contacts contacts); diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/Models/KeyVaultCmdletBase.cs b/src/ResourceManager/KeyVault/Commands.KeyVault/Models/KeyVaultCmdletBase.cs index e479d479874b..e31644b6caf9 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault/Models/KeyVaultCmdletBase.cs +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/Models/KeyVaultCmdletBase.cs @@ -12,14 +12,17 @@ // limitations under the License. // ---------------------------------------------------------------------------------- +using System; +using System.IO; using Microsoft.Azure.Commands.Common.Authentication; using Microsoft.Azure.Commands.ResourceManager.Common; -using System.Net.Http; namespace Microsoft.Azure.Commands.KeyVault.Models { public class KeyVaultCmdletBase : AzureRMCmdlet { + public static readonly DateTime EpochDate = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); + internal IKeyVaultDataServiceClient DataServiceClient { get @@ -39,6 +42,25 @@ internal IKeyVaultDataServiceClient DataServiceClient } } + protected string GetDefaultFileForOperation( string operationName, string vaultName, string entityName ) + { + // caller is responsible for parameter validation + var currentPath = CurrentPath(); + var filename = string.Format("{0}\\{1}-{2}-{3}-{4}", currentPath, vaultName, entityName, DateTime.UtcNow.Subtract(EpochDate).TotalSeconds); + + return filename; + } + + protected string ResolvePathFromFilename( string filePath, bool throwOnPreExisting, string errorMessage ) + { + FileInfo file = new FileInfo(this.GetUnresolvedProviderPathFromPSPath(filePath)); + if ( file.Exists && throwOnPreExisting ) + { + throw new IOException( string.Format( errorMessage, filePath ) ); + } + + return file.FullName; + } private IKeyVaultDataServiceClient dataServiceClient; } diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/Models/KeyVaultDataServiceClient.cs b/src/ResourceManager/KeyVault/Commands.KeyVault/Models/KeyVaultDataServiceClient.cs index 11bbc33604f5..d3d12c2c4f45 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault/Models/KeyVaultDataServiceClient.cs +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/Models/KeyVaultDataServiceClient.cs @@ -812,6 +812,56 @@ public KeyBundle RestoreKey(string vaultName, string inputBlobPath) return new KeyBundle(keyBundle, this.vaultUriHelper); } + public string BackupSecret( string vaultName, string secretName, string outputBlobPath ) + { + if ( string.IsNullOrEmpty( vaultName ) ) + throw new ArgumentNullException( "vaultName" ); + if ( string.IsNullOrEmpty( secretName ) ) + throw new ArgumentNullException( "secretName" ); + if ( string.IsNullOrEmpty( outputBlobPath ) ) + throw new ArgumentNullException( "outputBlobPath" ); + + string vaultAddress = this.vaultUriHelper.CreateVaultAddress(vaultName); + + BackupSecretResult backupSecretResult; + try + { + backupSecretResult = this.keyVaultClient.BackupSecretAsync( vaultAddress, secretName ).GetAwaiter( ).GetResult( ); + } + catch ( Exception ex ) + { + throw GetInnerException( ex ); + } + + File.WriteAllBytes( outputBlobPath, backupSecretResult.Value ); + + return outputBlobPath; + } + + public Secret RestoreSecret( string vaultName, string inputBlobPath ) + { + if ( string.IsNullOrEmpty( vaultName ) ) + throw new ArgumentNullException( "vaultName" ); + if ( string.IsNullOrEmpty( inputBlobPath ) ) + throw new ArgumentNullException( "inputBlobPath" ); + + var backupBlob = File.ReadAllBytes(inputBlobPath); + + string vaultAddress = this.vaultUriHelper.CreateVaultAddress(vaultName); + + Azure.KeyVault.Models.SecretBundle secretBundle; + try + { + secretBundle = this.keyVaultClient.RestoreSecretAsync( vaultAddress, backupBlob ).GetAwaiter( ).GetResult( ); + } + catch ( Exception ex ) + { + throw GetInnerException( ex ); + } + + return new Secret( secretBundle, this.vaultUriHelper ); + } + public CertificatePolicy GetCertificatePolicy(string vaultName, string certificateName) { if (string.IsNullOrEmpty(vaultName)) diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/Properties/Resources.Designer.cs b/src/ResourceManager/KeyVault/Commands.KeyVault/Properties/Resources.Designer.cs index 483f7c035610..212f51da0ec5 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault/Properties/Resources.Designer.cs +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/Properties/Resources.Designer.cs @@ -144,6 +144,39 @@ internal static string BackupKeyFileNotFound { } } + /// + /// Looks up a localized string similar to Backup secret. + /// + internal static string BackupSecret + { + get + { + return ResourceManager.GetString( "BackupSecret", resourceCulture ); + } + } + + /// + /// Looks up a localized string similar to The backup secret file '{0}' already exists.. + /// + internal static string BackupSecretFileAlreadyExists + { + get + { + return ResourceManager.GetString( "BackupSecretFileAlreadyExists", resourceCulture ); + } + } + + /// + /// Looks up a localized string similar to Cannot find backup secret file '{0}'. + /// + internal static string BackupSecretFileNotFound + { + get + { + return ResourceManager.GetString( "BackupSecretFileNotFound", resourceCulture ); + } + } + /// /// Looks up a localized string similar to Bad Parameter Set Name. /// @@ -567,6 +600,17 @@ internal static string RestoreKey { } } + /// + /// Looks up a localized string similar to Restore secret. + /// + internal static string RestoreSecret + { + get + { + return ResourceManager.GetString( "RestoreSecret", resourceCulture ); + } + } + /// /// Looks up a localized string similar to Set certificate attribute. /// diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/Properties/Resources.resx b/src/ResourceManager/KeyVault/Commands.KeyVault/Properties/Resources.resx index c99e23871bee..1b3c12319f97 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault/Properties/Resources.resx +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/Properties/Resources.resx @@ -135,6 +135,12 @@ You can find the object ID using Azure Active Directory Module for Windows Power Cannot find backup key file '{0}' + + The backup secret file '{0}' already exists. + + + Cannot find backup secret file '{0}' + Bad Parameter Set Name @@ -276,6 +282,9 @@ You can find the object ID using Azure Active Directory Module for Windows Power Backup key + + Backup secret + Create certificate administrator @@ -324,6 +333,9 @@ You can find the object ID using Azure Active Directory Module for Windows Power Restore key + + Restore secret + Set vault access policy diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/help/AzureRM.KeyVault.md b/src/ResourceManager/KeyVault/Commands.KeyVault/help/AzureRM.KeyVault.md index 2b5a33ed4e59..5dfa41b1ef57 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault/help/AzureRM.KeyVault.md +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/help/AzureRM.KeyVault.md @@ -24,6 +24,9 @@ Creates a key in a key vault or imports a key into a key vault. ### [Backup-AzureKeyVaultKey](Backup-AzureKeyVaultKey.md) Backs up a key in a key vault. +### [Backup-AzureKeyVaultSecret](Backup-AzureKeyVaultSecret.md) +Backs up a secret in a key vault. + ### [Get-AzureKeyVaultCertificate](Get-AzureKeyVaultCertificate.md) Gets a certificate from a key vault. @@ -90,6 +93,9 @@ Removes all permissions for a user or application from a key vault. ### [Restore-AzureKeyVaultKey](Restore-AzureKeyVaultKey.md) Creates a key in a key vault from a backed-up key. +### [Restore-AzureKeyVaultSecret](Restore-AzureKeyVaultSecret.md) +Creates a secret in a key vault from a backed-up secret. + ### [Set-AzureKeyVaultCertificateAttribute](Set-AzureKeyVaultCertificateAttribute.md) Modifies editable attributes of a certificate. diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/help/Backup-AzureKeyVaultSecret.md b/src/ResourceManager/KeyVault/Commands.KeyVault/help/Backup-AzureKeyVaultSecret.md new file mode 100644 index 000000000000..f85a081dc435 --- /dev/null +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/help/Backup-AzureKeyVaultSecret.md @@ -0,0 +1,144 @@ +--- +external help file: Microsoft.Azure.Commands.KeyVault.dll-Help.xml +ms.assetid: 80AAA327-77C6-4372-9461-FFED5A15E678 +online version: http://go.microsoft.com/fwlink/?LinkId=690296 +schema: 2.0.0 +--- + +# Backup-AzureKeyVaultSecret + +## SYNOPSIS +Backs up a secret in a key vault. + +## SYNTAX + +``` +Backup-AzureKeyVaultSecret [-VaultName] [-Name] [[-OutputFile] ] [-WhatIf] [-Confirm] [] +``` + +## DESCRIPTION +The **Backup-AzureKeyVaultSecret** cmdlet backs up a specified secret in a key vault by downloading it and storing it in a file. +If there are multiple versions of the secret, all versions are included in the backup. +Because the downloaded content is encrypted, it cannot be used outside of Azure Key Vault. +You can restore a backed-up secret to any key vault in the subscription that it was backed up from. + +Typical reasons to use this cmdlet are: + +- You want to escrow a copy of your secret, so that you have an offline copy in case you accidentally delete your secret in your key vault. +- You added a secret to a key vault and now want to clone the secret into a different Azure region, so that you can use it from all instances of your distributed application. Use the Backup-AzureKeyVaultSecret cmdlet to retrieve the secret in encrypted format and then use the Restore-AzureKeyVaultSecret cmdlet and specify a key vault in the second region. (Note that the regions must belong to the same geography.) + +## EXAMPLES + +### Example 1: Back up a secret with an automatically generated file name +``` +PS C:\>Backup-AzureKeyVaultSecret -VaultName 'MyKeyVault' -Name 'MySecret' +``` + +This command retrieves the secret named MySecret from the key vault named MyKeyVault and saves a backup of that secret to a file that is automatically named for you, and displays the file name. + +### Example 2: Back up a secret to a specified file name +``` +PS C:\>Backup-AzureKeyVaultSecret -VaultName 'MyKeyVault' -Name 'MySecret' -OutputFile 'C:\Backup.blob' +``` + +This command retrieves the secret named MySecret from the key vaultnamed MyKeyVault and saves a backup of that secret to a file named Backup.blob. + +## PARAMETERS + +### -Name +Specifies the name of the secret to back up. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SecretName + +Required: True +Position: 2 +Default value: None +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -OutputFile +Specifies the output file in which the backup blob is stored. +If you do not specify this parameter, this cmdlet generates a file name for you. +If you specify the name of an existing output file, the operation will not complete and returns an error message that the backup file already exists. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -VaultName +Specifies the name of the key vault that contains the secret to back up. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[Set-AzureKeyVaultSecret](./Set-AzureKeyVaultSecret.md) + +[Get-AzureKeyVaultSecret](./Get-AzureKeyVaultSecret.md) + +[Remove-AzureKeyVaultSecret](./Remove-AzureKeyVaultSecret.md) + +[Restore-AzureKeyVaultSecret](./Restore-AzureKeyVaultSecret.md) + diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/help/Restore-AzureKeyVaultSecret.md b/src/ResourceManager/KeyVault/Commands.KeyVault/help/Restore-AzureKeyVaultSecret.md new file mode 100644 index 000000000000..bd78d94fd4cf --- /dev/null +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/help/Restore-AzureKeyVaultSecret.md @@ -0,0 +1,119 @@ +--- +external help file: Microsoft.Azure.Commands.KeyVault.dll-Help.xml +ms.assetid: 70DB088D-4AF5-406B-8D66-118A0F766041 +online version: http://go.microsoft.com/fwlink/?LinkId=690301 +schema: 2.0.0 +--- + +# Restore-AzureKeyVaultSecret + +## SYNOPSIS +Creates a secret in a key vault from a backed-up secret. + +## SYNTAX + +``` +Restore-AzureKeyVaultSecret [-VaultName] [-InputFile] [-WhatIf] [-Confirm] [] +``` + +## DESCRIPTION +The **Restore-AzureKeyVaultSecret** cmdlet creates a secret in the specified key vault. +This secret is a replica of the backed-up secret in the input file and has the same name as the original secret. +If the key vault already has a secret by the same name, this cmdlet fails instead of overwriting the original secret. +If the backup contains multiple versions of a secret, all versions are restored. + +The key vault that you restore the secret into can be different from the key vault that you backed up the secret from. +However, the key vault must use the same subscription and be in an Azure region in the same geography (for example, North America). +See the Microsoft Azure Trust Center (https://azure.microsoft.com/support/trust-center/) for the mapping of Azure regions to geographies. + +## EXAMPLES + +### Example 1: Restore a backed-up secret +``` +PS C:\>Restore-AzureKeyVaultSecret -VaultName 'MyKeyVault' -InputFile "C:\Backup.blob" +``` + +This command restores a secret, including all of its versions, from the backup file named Backup.blob into the key vault named MyKeyVault. + +## PARAMETERS + +### -InputFile +Specifies the input file that contains the backup of the secret to restore. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -VaultName +Specifies the name of the key vault into which to restore the secret. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[Set-AzureKeyVaultSecret](./Set-AzureKeyVaultSecret.md) + +[Backup-AzureKeyVaultSecret](./Backup-AzureKeyVaultSecret.md) + +[Get-AzureKeyVaultSecret](./Get-AzureKeyVaultSecret.md) + +[Remove-AzureKeyVaultSecret](./Remove-AzureKeyVaultSecret.md) + diff --git a/src/ResourceManager/KeyVault/Commands.KeyVault/packages.config b/src/ResourceManager/KeyVault/Commands.KeyVault/packages.config index 5f2fa92f0b1f..3df22d983b00 100644 --- a/src/ResourceManager/KeyVault/Commands.KeyVault/packages.config +++ b/src/ResourceManager/KeyVault/Commands.KeyVault/packages.config @@ -5,8 +5,8 @@ - - + +