Azure Level 3 task 5 - Managing Secrets with Azure Key Vault 2

itayara · July 31, 2025, 2:52am

Hi,

I am getting key not found despite creating the key:

Can you please help

raymond.baoly · July 31, 2025, 8:09am

Hi @itayara

Please refer to Azure Level 3 task 5 - Managing Secrets with Azure Key Vault - #12 by raymond.baoly

itayara · July 31, 2025, 9:09pm

Hi,

That’s what I did but it always says Key not found in KeyVault!

itayara · July 31, 2025, 9:10pm

Can you please show the steps on how did you create the key in KeyVault?

raymond.baoly · August 1, 2025, 9:31am

Hi @itayara

# Encrypt the file using Azure Key Vault

az keyvault key encrypt \
--vault-name **nautilus-13760** \
--name **nautilus-key** \
--algorithm RSA-OAEP \
--value "$(cat /root/SensitiveData.txt | base64)" \
| jq -r '.result' > /root/EncryptedData.bin

# Verify encrypted data

cat /root/EncryptedData.bin

# Decrypt the file using Azure Key Vault

az keyvault key decrypt \
--vault-name **nautilus-13760** \
--name **nautilus-key** \
--algorithm RSA-OAEP \
--value "$(cat /root/EncryptedData.bin)" \
| jq -r '.result' | base64 --decode > /root/DecryptedData.txt

itayara · August 1, 2025, 11:31pm

Hi,

I am still getting the error:

I think there is an issue when validating the key in keyvault

That’s what I have for the key in Key vault:

Can you please retry the whole task from you end and confirm?

raymond.baoly · August 4, 2025, 9:39am

@itayara

It’s working fine on my side. I think something might have gone wrong on your end. Please try again, and if you still can’t solve it, provide the detailed steps you took.

itayara · August 4, 2025, 10:38pm

Hi,

Here are the steps I did:

az keyvault key encrypt
–vault-name devops-20849
–name devops-key
–algorithm RSA-OAEP
–value “$(cat /root/SensitiveData.txt | base64)”
| jq -r ‘.result’ > /root/EncryptedData.bin

cat EncryptedData.bin
eh9TBqzFZ5f+L+inFf7IO3Z1XL8kPJxSroIhlAsiBwaiJryOjAbyRsZKjdh9HVFA4nraAOO426vzF8BMfIPgg+PPnfe5I/66IxsIo9cQsuZ3Oa8jreEHnOzAQK8WqUYWyHQTBQWkQNQtKud2t7+XFaJxhGWGgZ7Sjm+/RXRb6ZTn0KlOdURD2kiNj8f/TyYcHwPQMBPNL89GbcR+siQtIzzOeWFuaJaaKOgnZi1C/qwnD7hnJQqTS9mqJd5GcQ6BSY6+pzwCEmUV3r5Bc7E5DdszSxEJ0PoRY8k4nLiK1/DApXahrJ8DsIDVWFTgRCfPiqSQUchGCMXcy837VTLi3A==

az keyvault key decrypt
–vault-name devops-20849
–name devops-key
–algorithm RSA-OAEP
–value “$(cat /root/EncryptedData.bin)”
| jq -r ‘.result’ | base64 -d > /root/DecryptedData.txt

cat DecryptedData.txt
This is a sensitive file.

raymond.baoly · August 5, 2025, 7:26am

Hi @itayara

Thanks for your detailed feedback. I’ve reviewed all your steps, and they look good.
Please grant get and list permissions for the secret scope kk-main-app, I believe that’s why you’re seeing the validation failure.

itayara · August 5, 2025, 2:32pm

It’s working now. Thanks a lot

sethnaman5 · September 30, 2025, 6:20pm

What were the additional steps you did apart from the screenshot you shared ?

sethnaman5 · September 30, 2025, 7:23pm

This will work

~ az keyvault key encrypt
–vault-name datacenter-24654
–name datacenter-key
–algorithm RSA-OAEP
–data-type base64
–value “$(cat /root/SensitiveData.txt | base64)”
–query result -o tsv > /root/EncryptedData.bin
WARNING: This command is in preview and under development. Reference and support levels: Overview - Azure CLI terminology and support levels | Microsoft Learn

~ ➜ cat /root/SensitiveData.txt
This is a sensitive file.

~ ➜ cat /root/EncryptedData.bin
x9sZu68wImPmaLzZpPz+HSi+ssgCZEYfYRosll/Vt7BbVlq50Kcr/duJgip/ENcikKdiXbPcBFvOld6pePuWAGk72sBJWLK62HzZ04rIBOXIGrEp/k+q/EoygNoDTv2FfnuDnCDlvKzPak6O4j5F9gv0G7hmaDx/VVfxtbzhLNaXa8M1AiNtMw91U8t6jGK79JR2vJkhwuyv/gj3BD8QUvilZ1JE1zLutSdlL708pc/CTcxvB8tFMfX1/zTcw/gH9Wf4iqIbrgNultAOD2SY7OT3iaVlvzrEOuDIC2XHWHIpGQmqViTH9kcx36Cqce4RSdFVTT80xHk+p3r2jO7CqQ==

~ ➜ az keyvault key decrypt
–vault-name datacenter-24654
–name datacenter-key
–algorithm RSA-OAEP
–data-type base64
–value “$(cat /root/EncryptedData.bin)”
–query result -o tsv | base64 --decode > /root/DecryptedData.txt
WARNING: This command is in preview and under development. Reference and support levels: Overview - Azure CLI terminology and support levels | Microsoft Learn

~ ➜ cat /root/EncryptedData.bin
x9sZu68wImPmaLzZpPz+HSi+ssgCZEYfYRosll/Vt7BbVlq50Kcr/duJgip/ENcikKdiXbPcBFvOld6pePuWAGk72sBJWLK62HzZ04rIBOXIGrEp/k+q/EoygNoDTv2FfnuDnCDlvKzPak6O4j5F9gv0G7hmaDx/VVfxtbzhLNaXa8M1AiNtMw91U8t6jGK79JR2vJkhwuyv/gj3BD8QUvilZ1JE1zLutSdlL708pc/CTcxvB8tFMfX1/zTcw/gH9Wf4iqIbrgNultAOD2SY7OT3iaVlvzrEOuDIC2XHWHIpGQmqViTH9kcx36Cqce4RSdFVTT80xHk+p3r2jO7CqQ==

~ ➜ cat /root/SensitiveData.txt
This is a sensitive file.

~ ➜ cat /root/DecryptedData.txt
This is a sensitive file.

But before doing this create the azure vault

~ ➜ az ad signed-in-user show --query id -o tsv
e6450c28-7a30-4d7c-b1fc-0841f65ade07

Give your Object id the permission for encrypt and decrypt under policy section.

raymond.baoly · October 8, 2025, 12:52am

Hi @sethnaman5

Could you please explain a bit more? Were you able to finish the task or not?

sethnaman5 · October 8, 2025, 1:34am

I was able to finish the task as mentioned