localstack · quetzalliwrites · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
@@ -1,11 +1,154 @@
 ---
 title: "Key Vault"
-description: API coverage for Microsoft.KeyVault in LocalStack for Azure.
+description: Get started with Azure Key Vault on LocalStack
 template: doc
 ---
 
 import AzureFeatureCoverage from "../../../../components/feature-coverage/AzureFeatureCoverage";
 
+## Introduction
+
+Azure Key Vault is a managed service for securely storing and accessing secrets, keys, and certificates.
+It helps centralize sensitive configuration and credentials for your applications and services.
+Key Vault also supports secure key management and certificate lifecycle operations. For more information, see [About Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/overview).
+
+LocalStack for Azure provides a local environment for building and testing applications that make use of Azure Key Vault.
+The supported APIs are available on our [API Coverage section](#api-coverage), which provides information on the extent of Key Vault's integration with LocalStack.
+
+## Getting started
+
+This guide is designed for users new to Key Vault and assumes basic knowledge of the Azure CLI and our `azlocal` wrapper script.
+
+Launch LocalStack using your preferred method. For more information, see [Introduction to LocalStack for Azure](/azure/getting-started/). Once the container is running, enable Azure CLI interception by running:
+
+```bash
+azlocal start-interception
+```
+
+This command points the `az` CLI away from the public Azure management REST API and toward the LocalStack for Azure emulator API.
+To revert this configuration, run:
+
+```bash
+azlocal stop-interception
+```
+
+This reconfigures the `az` CLI to send commands to the official Azure management REST API.
+
+### Create a resource group
+
+Create a resource group that will contain your Key Vault resources:
+
+```bash
+az group create \
+  --name rg-keyvault-demo \
+  --location westeurope
+```
+
+```bash title="Output"
+{
+  "name": "rg-keyvault-demo",
+  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-keyvault-demo",
+  "location": "westeurope",
+  "properties": {
+    "provisioningState": "Succeeded"
+  }
+}
+```
+
+### Create a Key Vault
+
+Create a Key Vault in your resource group:
-Create a Key Vault in your resource group:
+Create a Key Vault in the resource group:
-Create a Key Vault in your resource group:
+Create a Key Vault in the resource group:
+
+```bash
+az keyvault create \
+  --name kv-demo-localstack \
+  --resource-group rg-keyvault-demo \
+  --location westeurope
+```
+
+```bash title="Output"
+{
+  "name": "kv-demo-localstack",
+  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-keyvault-demo/providers/Microsoft.KeyVault/vaults/kv-demo-localstack",
+  "location": "westeurope",
+  "properties": {
+    "provisioningState": "Succeeded",
+    "vaultUri": "https://kv-demo-localstack.localhost.localstack.cloud:4566"
-    "vaultUri": "https://kv-demo-localstack.localhost.localstack.cloud:4566"
+    "vaultUri": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566"
-    "vaultUri": "https://kv-demo-localstack.localhost.localstack.cloud:4566"
+    "vaultUri": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566"
+  }
+  ...
+}
+```
+
+### Add and read a secret
-### Add and read a secret
+### Add and retrieve a secret
-### Add and read a secret
+### Add and retrieve a secret
+
+Create a secret in the vault:
+
+```bash
+az keyvault secret set \
+  --vault-name kv-demo-localstack \
+  --name app-secret \
+  --value "super-secret-value"
+```
+
+```bash title="Output"
+{
+  "name": "app-secret",
+  "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281",
-  "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281",
+  "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281",
-  "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281",
+  "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281",
+  "attributes": {
+    "enabled": true
+  },
+  "value": "super-secret-value"
+  ...
+}
+```
+
+Read the secret value:
-Read the secret value:
+Retrieve the secret value:
-Read the secret value:
+Retrieve the secret value:
+
+```bash
+az keyvault secret show \
+  --vault-name kv-demo-localstack \
+  --name app-secret
+```
+
+```bash title="Output"
+{
+  "name": "app-secret",
+  "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281",
-  "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281",
+  "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281",
-  "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281",
+  "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281",
+  "attributes": {
+    "enabled": true
+  },
+  "value": "super-secret-value"
+  ...
+}
+```
+
+List all secrets in the vault:
+
+```bash
+az keyvault secret list \
+  --vault-name kv-demo-localstack
+```
+
+```bash title="Output"
+[
+  {
+    "name": "app-secret",
+    "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret"
-    "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret"
+    "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/secrets/app-secret"
-    "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret"
+    "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/secrets/app-secret"
+    ...
+  }
+]
+```
+
-
+### Add and retrieve a certificate
+
+Create a self-signed certificate:
+
+```bash
+az keyvault certificate create \
+  --vault-name kv-demo-localstack \
+  --name app-cert \
+  --policy '{"issuerParameters":{"name":"Self"},"keyProperties":{"exportable":true,"keySize":2048,"keyType":"RSA","reuseKey":true},"secretProperties":{"contentType":"application/x-pkcs12"},"x509CertificateProperties":{"subject":"CN=app-cert","validityInMonths":12}}'
+```
+
+```bash title="Output"
+{
+  ...
+  "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7",
+  "name": "app-cert",
+  ...
+  "sid": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7",
+  ...
+}
+```
+
+Retrieve the certificate:
+
+```bash
+az keyvault certificate show \
+  --vault-name kv-demo-localstack \
+  --name app-cert
+```
+
+```bash title="Output"
+{
+  ...
+  "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7",
+  "name": "app-cert",
+  ...
+  "sid": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7",
+  ...
+}
+```
+
+List all certificates in the vault:
+
+```bash
+az keyvault certificate list \
+  --vault-name kv-demo-localstack
+```
+
+```bash title="Output"
+[
+  {
+    ...
+    "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7",
+    "name": "app-cert",
+    ...
+  }
+]
+```
+
+## Features
+
+The Key Vault emulator supports the following features:
+
+- **Vault CRUD operations**: Create, update, get, list, delete, and check name availability of key vaults via the management plane.
+- **Soft delete and purge protection**: Soft-delete vaults with configurable retention period. List, get, restore, and purge soft-deleted vaults.
+- **Access policy management**: Add, remove, and replace access policies on a vault, with per-object-ID granularity for keys, secrets, certificates, and storage permissions.
+- **Secrets data plane**: Set, get, update, list, and delete secrets. Retrieve secret versions. Supports soft-delete, purge, and recovery of individual secrets.
+- **Secrets management plane**: Create, update, get, and list secrets via the Azure Resource Manager API.
+- **Certificates data plane**: Create self-signed certificates (RSA and EC key types), get, update, list, and delete certificates. Retrieve certificate versions, policies, and pending operations. Update certificate policies. Supports soft-delete, purge, and recovery of individual certificates.
+- **Certificate contacts**: Set, get, and delete certificate contacts with email and phone validation.
+- **Self-signed certificate generation**: Local generation of RSA (2048, 3072, 4096-bit) and EC (P-256, P-384, P-521) certificates in PKCS#12 and PEM formats, with configurable subject, key usage, and validity period.
+- **Bearer authorization challenge**: Implements the Key Vault authentication challenge protocol expected by Azure SDKs.
+
+## Limitations
+
+- **Key operations are not supported**: Cryptographic key management (create, import, encrypt, decrypt, sign, verify, wrap, unwrap) is not implemented.
+- **Managed HSM is not supported**: The `managedHSMs` resource type is stubbed (returns empty lists) and does not provide HSM functionality.
+- **Certificate auto-renewal is not emulated**: Lifetime actions and auto-renewal policies are stored but not executed. Certificates are not automatically renewed when they expire.
+- **Only self-signed certificates**: Only the `Self` and `Unknown` issuers are accepted. Integration with external certificate authorities (e.g., DigiCert, GlobalSign) is not supported.
+- **No RBAC authorization enforcement**: The `enableRbacAuthorization` property is stored but role-based access control is not enforced at the data plane level.
+- **Access policies are not enforced**: Access policies are stored and returned but not evaluated when accessing secrets or certificates.
+- **No private endpoint connections**: Private endpoint configuration is accepted but not enforced.
+- **No data persistence across restarts**: Vault data, secrets, and certificates are not persisted and are lost when the LocalStack emulator is stopped or restarted.
+
+## Samples
+
+The following sample demonstrates how to use Key Vault with LocalStack for Azure:
+
+- [Web App and SQL Database](https://github.com/localstack/localstack-azure-samples/tree/main/samples/web-app-sql-database/python/)
+- [ACI and Blob Storage](https://github.com/localstack/localstack-azure-samples/tree/main/samples/aci-blob-storage/python/)
-
+### Add and retrieve a certificate
+
+Create a self-signed certificate:
+
+```bash
+az keyvault certificate create \
+  --vault-name kv-demo-localstack \
+  --name app-cert \
+  --policy '{"issuerParameters":{"name":"Self"},"keyProperties":{"exportable":true,"keySize":2048,"keyType":"RSA","reuseKey":true},"secretProperties":{"contentType":"application/x-pkcs12"},"x509CertificateProperties":{"subject":"CN=app-cert","validityInMonths":12}}'
+```
+
+```bash title="Output"
+{
+  ...
+  "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7",
+  "name": "app-cert",
+  ...
+  "sid": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7",
+  ...
+}
+```
+
+Retrieve the certificate:
+
+```bash
+az keyvault certificate show \
+  --vault-name kv-demo-localstack \
+  --name app-cert
+```
+
+```bash title="Output"
+{
+  ...
+  "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7",
+  "name": "app-cert",
+  ...
+  "sid": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7",
+  ...
+}
+```
+
+List all certificates in the vault:
+
+```bash
+az keyvault certificate list \
+  --vault-name kv-demo-localstack
+```
+
+```bash title="Output"
+[
+  {
+    ...
+    "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7",
+    "name": "app-cert",
+    ...
+  }
+]
+```
+
+## Features
+
+The Key Vault emulator supports the following features:
+
+- **Vault CRUD operations**: Create, update, get, list, delete, and check name availability of key vaults via the management plane.
+- **Soft delete and purge protection**: Soft-delete vaults with configurable retention period. List, get, restore, and purge soft-deleted vaults.
+- **Access policy management**: Add, remove, and replace access policies on a vault, with per-object-ID granularity for keys, secrets, certificates, and storage permissions.
+- **Secrets data plane**: Set, get, update, list, and delete secrets. Retrieve secret versions. Supports soft-delete, purge, and recovery of individual secrets.
+- **Secrets management plane**: Create, update, get, and list secrets via the Azure Resource Manager API.
+- **Certificates data plane**: Create self-signed certificates (RSA and EC key types), get, update, list, and delete certificates. Retrieve certificate versions, policies, and pending operations. Update certificate policies. Supports soft-delete, purge, and recovery of individual certificates.
+- **Certificate contacts**: Set, get, and delete certificate contacts with email and phone validation.
+- **Self-signed certificate generation**: Local generation of RSA (2048, 3072, 4096-bit) and EC (P-256, P-384, P-521) certificates in PKCS#12 and PEM formats, with configurable subject, key usage, and validity period.
+- **Bearer authorization challenge**: Implements the Key Vault authentication challenge protocol expected by Azure SDKs.
+
+## Limitations
+
+- **Key operations are not supported**: Cryptographic key management (create, import, encrypt, decrypt, sign, verify, wrap, unwrap) is not implemented.
+- **Managed HSM is not supported**: The `managedHSMs` resource type is stubbed (returns empty lists) and does not provide HSM functionality.
+- **Certificate auto-renewal is not emulated**: Lifetime actions and auto-renewal policies are stored but not executed. Certificates are not automatically renewed when they expire.
+- **Only self-signed certificates**: Only the `Self` and `Unknown` issuers are accepted. Integration with external certificate authorities (e.g., DigiCert, GlobalSign) is not supported.
+- **No RBAC authorization enforcement**: The `enableRbacAuthorization` property is stored but role-based access control is not enforced at the data plane level.
+- **Access policies are not enforced**: Access policies are stored and returned but not evaluated when accessing secrets or certificates.
+- **No private endpoint connections**: Private endpoint configuration is accepted but not enforced.
+- **No data persistence across restarts**: Vault data, secrets, and certificates are not persisted and are lost when the LocalStack emulator is stopped or restarted.
+
+## Samples
+
+The following sample demonstrates how to use Key Vault with LocalStack for Azure:
+
+- [Web App and SQL Database](https://github.com/localstack/localstack-azure-samples/tree/main/samples/web-app-sql-database/python/)
+- [ACI and Blob Storage](https://github.com/localstack/localstack-azure-samples/tree/main/samples/aci-blob-storage/python/)
+## Limitations
+
+Key Vault keys, HSM-related operations, and getting a real certificate from an official CA are not supported.
+
+## Samples
+
+The following sample demonstrates how to use Key Vault with LocalStack for Azure:
+
+- [Azure Web App with Azure SQL Database and Azure Key Vault](https://github.com/localstack/localstack-azure-samples/tree/main/samples/web-app-sql-database/python)
+
 ## API Coverage
 
 <AzureFeatureCoverage service="Microsoft.KeyVault" client:load />