Exam AZ-204 topic 4 question 15 discussion

Answer looks correct

Question does not explain where the variables come from... Assuming I set the variables myself (as a "side effect" of the command), the solution below does make sense: 1. Get-AzSubscription 2. Set-AzContext –SubscriptionId $subscriptionID 3. Get-AzKeyVaultSecret –VaultName $vaultName 4. Get-AzStorageAccountKey –ResourceGroupName $resGroup –Name $storAcct 5. $secretvalue = ConvertTo-SecureString $storAcctkey –AsPlainText –Force Set-AzKeyVaultSecret –VaultName $vaultName –Name $secretName –SecretValue $secretvalue

correct

https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual?tabs=azurepowershell#add-storage-account-access-key-to-key-vault-secrets

Given Answer is correct only. "Get-AzKeyVaultSecret -VaultName $vaultName" is just to make sure that we stored the key in vault (verification/double check). Placing this command anywhere else in the order does not make any sense.

Given answer us correct

I believe the assignment wants to select a proper subscription, then to retrieve the storage account key, then to store this key into the KeyVault and finally to check the secret was inserted properly. So: 1. Get-AzSubscription ($subscriptionID = (...).SubscriptionName) 2. Set-AzContext 3. Get-AzStorageAccountKey ($storAcctkey = "(...)[0].Value") 4. ConvertTo-SecureString, Set-AzKeyVaultSecret 5. Get-AzKeyVaultSecret (list the secrets stored in the KeyVault - check only)

Does the question miss some part? Why it has to save the key before retrieval? No where in the question mentioned that ... First two Get-AzSubscription Set-AzContext –SubscriptionId $subscriptionID are absolutely correct, since there are two subscriptions, you have to point to the correct one ... but I am confused with 3, 4, 5 steps, what are those?

correct.

Agree with some people saying the question and picture does not make sense. The question only says how to retrieve the secret from Key Vault. Based on the options, we also have to retrieve the value and insert it to Key Vault first. The question/picture lacks information based on what we have.

Is this question actually on the exam? Even the url provided to explain the answer says this code is meant to cycle the storage keys stored in the vault not retrieve a key from the vault. Either the question is wrong or the answer is wrong.

I agree, the question does not match the options to give the answer. If the question was to store the account key to the key vault and then retrieve it from the key vault, the answer would be correct.

The question is: How to get secret from key vault, when there are two subscriptions available? Available components(in order of boxes): 1. converting $storageAcctkey to secure string and storing az secret with name $secretName 2. getting storage accout key from storage account (but without storing to variable $storageAcctkey) 3. setting subscription context for use in current session (https://docs.microsoft.com/en-us/powershell/module/az.accounts/set-azcontext?view=azps-5.1.0) 4. list secrets in the vault 5. list subscriptions available So for retrieving secret we (I think) need 5,3,4 and we need also SecureStringToBSTR (https://docs.microsoft.com/cs-cz/azure/key-vault/secrets/quick-create-powershell). However the question seems to require using all actions available. Is the question text really matching the picture?