Skip to main content
Quick Reference

Azure Key Vault & AWS Secrets Manager Cheat Sheet

CLI commands, naming conventions, and best practices for Azure Key Vault and AWS Secrets Manager. Click any command to copy it.

Azure Key Vault CLI Commands

List Secrets
az keyvault secret list --vault-name MyVault --output table
Get Secret Value
az keyvault secret show --vault-name MyVault --name MySecret --query value -o tsv
Create / Update Secret
az keyvault secret set --vault-name MyVault --name MySecret --value 'secret-value'
Set Expiration Date
az keyvault secret set-attributes --vault-name MyVault --name MySecret --expires '2026-12-31T23:59:59Z'
Delete Secret (Soft)
az keyvault secret delete --vault-name MyVault --name MySecret
Recover Deleted Secret
az keyvault secret recover --vault-name MyVault --name MySecret
List Secret Versions
az keyvault secret list-versions --vault-name MyVault --name MySecret --output table
Backup Secret
az keyvault secret backup --vault-name MyVault --name MySecret --file MySecret.bak

AWS Secrets Manager CLI Commands

List Secrets
aws secretsmanager list-secrets --output table
Get Secret Value
aws secretsmanager get-secret-value --secret-id MySecret --query SecretString --output text
Create Secret
aws secretsmanager create-secret --name MySecret --secret-string 'secret-value'
Update Secret Value
aws secretsmanager put-secret-value --secret-id MySecret --secret-string 'new-value'
Tag Secret
aws secretsmanager tag-resource --secret-id MySecret --tags Key=Environment,Value=Production
Delete Secret
aws secretsmanager delete-secret --secret-id MySecret --recovery-window-in-days 7
Restore Deleted Secret
aws secretsmanager restore-secret --secret-id MySecret
Enable Rotation
aws secretsmanager rotate-secret --secret-id MySecret --rotation-lambda-arn arn:aws:lambda:REGION:ACCOUNT:function:MyRotationFn --rotation-rules AutomaticallyAfterDays=30

Secrets Management Best Practices

Rotate Regularly

Rotate secrets every 30–90 days. Set expiration dates and use automated rotation where possible.

Least Privilege Access

Grant only the minimum permissions needed. Use separate access policies for reading vs. managing secrets.

Enable Audit Logging

Always enable audit logging (Azure Monitor / CloudTrail) to track who accesses which secrets and when.

Never Hardcode Secrets

Never commit secrets to source code. Use environment variables, managed identities, or SDK-based access instead.

Use Consistent Naming

Adopt a naming convention (e.g. env/service/key) for easy discovery and management at scale.

Set Expiration Dates

Always set expiration dates on secrets. Use alerts and automation to rotate before they expire.

Naming Convention Examples

Azure Key Vault

Prod-DB-ConnectionStringvalid
Staging-API-Keyvalid
Stripe-Webhook-Secretvalid
prod.db.passwordinvalid (dots)
-my-secretinvalid (starts with -)

AWS Secrets Manager

prod/db/passwordvalid
staging/api/stripe-keyvalid
myapp.config.secretvalid
aws/managed/keyreserved prefix
my secretinvalid (space)

Validate your secret names →

Related Tools

Password Generator

Generate secure passwords

Azure vs AWS

Full comparison guide

Cost Calculator

Estimate vault costs

Skip the CLI, Manage Secrets Visually

SatisVault gives you a visual interface for Azure Key Vault and AWS Secrets Manager right in your browser. No CLI needed for day-to-day operations.

Get SatisVault Extension View Pricing

Frequently Asked Questions

How do I create a secret in Azure Key Vault using CLI?

Use: az keyvault secret set --vault-name MyVault --name MySecret --value 'secret-value'. You can also pipe in values from files or other commands.

How do I create a secret in AWS Secrets Manager using CLI?

Use: aws secretsmanager create-secret --name MySecret --secret-string 'secret-value'. For binary secrets, use --secret-binary instead.

What are secrets management best practices?

Rotate secrets every 30–90 days, use least-privilege access, enable audit logging, never hardcode secrets in code, use managed identities where possible, and always set expiration dates.