az iot ops secretsync secret

Note

This reference is part of the azure-iot-ops extension for the Azure CLI (version 2.70.0 or higher). The extension will automatically install the first time you run an az iot ops secretsync secret command. Learn more about extensions.

Manage individual secrets within SecretSync resources.

Commands

Name	Description	Type	Status
az iot ops secretsync secret list	List secrets within a SecretSync resource.	Extension	GA
az iot ops secretsync secret remove	Remove a specific secret from a SecretSync resource. If all secrets are removed, the SecretSync resource itself is automatically deleted.	Extension	GA
az iot ops secretsync secret set	Set AKV secret mappings on a SecretSync resource.	Extension	GA

az iot ops secretsync secret list

List secrets within a SecretSync resource.

az iot ops secretsync secret list --instance
                                  --resource-group
                                  --secret-sync-name

Examples

List secrets in a specific SecretSync resource.

az iot ops secretsync secret list --instance myInstance -g myRG --secret-sync-name my-certs

Required Parameters

--instance -i -n

IoT Operations instance name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--secret-sync-name

Name of the SecretSync resource.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az iot ops secretsync secret remove

Remove a specific secret from a SecretSync resource. If all secrets are removed, the SecretSync resource itself is automatically deleted.

Removes the secret entry from the SecretSync's objectSecretMapping. If this is the last secret in the SecretSync, the entire SecretSync resource will be deleted since the ARM API does not allow a SecretSync with zero secret mappings.

Before removing the secret from the shared SPC, a ref-count check is performed across all SecretSyncs in the custom location. The SPC entry is only removed if no other SecretSync still references the same AKV secret. This prevents breaking other consumers of the shared SPC.

This command does NOT delete the secret from Azure Key Vault.

az iot ops secretsync secret remove --instance
                                    --resource-group
                                    --secret-name
                                    --secret-sync-name
                                    [--acquire-policy-token]
                                    [--change-reference]
                                    [--yes {false, true}]

Examples

Remove a secret from a SecretSync.

az iot ops secretsync secret remove --instance myInstance -g myRG --secret-sync-name my-certs --secret-name my-tls-cert

Remove a secret without confirmation prompt.

az iot ops secretsync secret remove --instance myInstance -g myRG --secret-sync-name my-certs --secret-name my-tls-cert -y

Required Parameters

--instance -i -n

IoT Operations instance name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--secret-name

AKV secret name (sourcePath value) to remove from the SecretSync.

--secret-sync-name

Name of the SecretSync resource.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--acquire-policy-token

Acquiring an Azure Policy token automatically for this resource operation.

Property	Value
Parameter group:	Global Policy Arguments

--change-reference

The related change reference ID for this resource operation.

Property	Value
Parameter group:	Global Policy Arguments

--yes -y

Confirm [y]es without a prompt. Useful for CI and automation scenarios.

Property	Value
Accepted values:	false, true

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az iot ops secretsync secret set

Set AKV secret mappings on a SecretSync resource.

Resolves the instance's default secret provider class (SPC), verifies each AKV secret exists, adds each secret to the SPC's objects list, and creates or merges entries into the named SecretSync resource.

If the SecretSync already exists, new secret entries are merged into it. Existing entries with the same AKV secret name will have their target key updated.

The --secret-sync-name value becomes the K8s secret name. Consumers reference it via <secret-sync-name>/<target-key> for device endpoints, or just <secret-sync-name> for dataflow endpoints.

az iot ops secretsync secret set --instance
                                 --resource-group
                                 --secret-map
                                 --secret-sync-name
                                 [--acquire-policy-token]
                                 [--change-reference]

Examples

Create a SecretSync for device endpoint x509 cert auth.

az iot ops secretsync secret set --instance myInstance -g myRG --secret-sync-name my-certs --secret-map my-tls-cert=certificate --secret-map my-tls-key=privateKey

Add another secret to an existing SecretSync (idempotent merge).

az iot ops secretsync secret set --instance myInstance -g myRG --secret-sync-name my-certs --secret-map my-intermediate-cert=intermediateCerts

Create a SecretSync for SASL-based dataflow endpoint.

az iot ops secretsync secret set --instance myInstance -g myRG --secret-sync-name eventhub-sasl --secret-map my-eh-user=username --secret-map my-eh-pass=password

Required Parameters

--instance -i -n

IoT Operations instance name.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--secret-map

AKV secret mapping in the format <akv-secret-name>=<target-key>. Repeatable. The AKV secret must exist.

--secret-sync-name

Name for the SecretSync ARM resource and the resulting K8s secret.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--acquire-policy-token

Acquiring an Azure Policy token automatically for this resource operation.

Property	Value
Parameter group:	Global Policy Arguments

--change-reference

The related change reference ID for this resource operation.

Property	Value
Parameter group:	Global Policy Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

Feedback

Was this page helpful?