Azure Key Vault password decryption with az cli

Question

I'm experimenting with an idea to use Azure Key Vault as the team password manager (instead of something like a KeyPass where all individuals manage their own instance of password database). I understand something like LastPass cloud would help but since we're all Azure shop, wondering if this would be one way to do it without getting a new product/bill.

I am able to set the keys and passwords in the vault and retrieve the hashed value. But I am unable to decrypt the key using az cli. I was hoping to store all credentials in Azure Key vault and have the team members query the key/password through their az cli; having a one source of truth and an access management through azure login credentials.

Following command provides with an encrypted value.

az keyvault secret show --name KEY_NAME --vault-name VAULT_NAME

What I'm hoping for is like a decrypt command? If this is not possible at all in cli, I'd like to hear suggestions to achieve this in python. Thanks in advance.

Answer 1

This is possible using Azure CLI.

Here is the official documentation: https://docs.microsoft.com/en-us/cli/azure/keyvault/secret?view=azure-cli-latest#az_keyvault_secret_show

It looks like from what you have written you have not included the --subscription parameter. Although this appears as optional, you must set the context of your CLI in order for the command to work without specifying this parameter. Try specifying the subscription id and running the command again.

Also, go to your key vault in the portal and confirm that you have given the user principal that you are logging in as (using the az login command) has sufficient permissions to get and list secrets.

Here is what the output should look like:

az keyvault secret show --name test --subscription [HIDDEN] --vault-name [HIDDEN]

...

"value": "this is my password"