Store a multi-line secret in Azure Key Vault

Article
09/09/2024

The Azure CLI quickstart or Azure PowerShell quickstart demonstrate how to store a single-line secret. You can also use Key Vault to store a multi-line secret, such as a JSON file or RSA private key.

Multi-line secrets cannot be passed to the Azure CLI az keyvault secret set command or the Azure PowerShell Set-AzKeyVaultSecret cmdlet through the commandline. Instead, you must first store the multi-line secret as a text file.

For example, you could create a text file called "secretfile.txt" containing the following lines:

This is my
multi-line
secret

Set the secret using Azure CLI

You can then pass this file to the Azure CLI az keyvault secret set command using the --file parameter.

az keyvault secret set --vault-name "<your-unique-keyvault-name>" --name "MultilineSecret" --file "secretfile.txt"

You can then view the stored secret using the Azure CLI az keyvault secret show command.

az keyvault secret show --name "MultilineSecret" --vault-name "<your-unique-keyvault-name>" --query "value"

The secret will be returned with \n in place of newline:

"This is\nmy multi-line\nsecret"

The \n above is a \ and n character, not the newline character. Quotes " are included in the string.

Set the secret using Azure Powershell

With Azure PowerShell, you must first read in the file using the Get-Content cmdlet, then convert it to a secure string using ConvertTo-SecureString.

$RawSecret =  Get-Content "secretfile.txt" -Raw
$SecureSecret = ConvertTo-SecureString -String $RawSecret -AsPlainText -Force

Lastly, you store the secret using the Set-AzKeyVaultSecret cmdlet.

$secret = Set-AzKeyVaultSecret -VaultName "<your-unique-keyvault-name>" -Name "MultilineSecret" -SecretValue $SecureSecret

You can then view the stored secret using the Azure CLI az keyvault secret show command or the Azure PowerShell Get-AzKeyVaultSecret cmdlet.

az keyvault secret show --name "MultilineSecret" --vault-name "<your-unique-keyvault-name>" --query "value"