Microsoft.KeyVault vaults

The vaults resource type can be deployed to: Resource groups.

To learn about resource group deployments, see Bicep or ARM template.

Template format

To create a Microsoft.KeyVault/vaults resource, add the following Bicep or JSON to your template.

resource symbolicname 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  properties: {
    accessPolicies: [
      {
        applicationId: 'string'
        objectId: 'string'
        permissions: {
          certificates: [ 'string' ]
          keys: [ 'string' ]
          secrets: [ 'string' ]
          storage: [ 'string' ]
        }
        tenantId: 'string'
      }
    ]
    createMode: 'string'
    enabledForDeployment: bool
    enabledForDiskEncryption: bool
    enabledForTemplateDeployment: bool
    enablePurgeProtection: bool
    enableRbacAuthorization: bool
    enableSoftDelete: bool
    networkAcls: {
      bypass: 'string'
      defaultAction: 'string'
      ipRules: [
        {
          value: 'string'
        }
      ]
      virtualNetworkRules: [
        {
          id: 'string'
          ignoreMissingVnetServiceEndpoint: bool
        }
      ]
    }
    provisioningState: 'string'
    publicNetworkAccess: 'string'
    sku: {
      family: 'A'
      name: 'string'
    }
    softDeleteRetentionInDays: int
    tenantId: 'string'
    vaultUri: 'string'
  }
}

Property values

vaults

Name Description Value
type The resource type

For Bicep, set this value in the resource declaration.
'Microsoft.KeyVault/vaults'
apiVersion The resource api version

For Bicep, set this value in the resource declaration.
'2021-06-01-preview'
name The resource name string (required)
location Azure location of the key vault resource. string (required)
tags Tags assigned to the key vault resource. Dictionary of tag names and values. See Tags in templates
properties Properties of the vault VaultProperties (required)

VaultProperties

Name Description Value
accessPolicies An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required. AccessPolicyEntry[]
createMode The vault's create mode to indicate whether the vault need to be recovered or not. 'default'
'recover'
enabledForDeployment Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. bool
enabledForDiskEncryption Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. bool
enabledForTemplateDeployment Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. bool
enablePurgeProtection Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. bool
enableRbacAuthorization Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. bool
enableSoftDelete Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. bool
networkAcls A set of rules governing the network accessibility of a vault. NetworkRuleSet
provisioningState Provisioning state of the vault. 'RegisteringDns'
'Succeeded'
publicNetworkAccess Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. string
sku SKU details Sku (required)
softDeleteRetentionInDays softDelete data retention days. It accepts }=7 and {=90. int
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string (required)
vaultUri The URI of the vault for performing operations on keys and secrets. string

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets, certificates and storage. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string (required)

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
'all'
'backup'
'create'
'delete'
'deleteissuers'
'get'
'getissuers'
'import'
'list'
'listissuers'
'managecontacts'
'manageissuers'
'purge'
'recover'
'restore'
'setissuers'
'update'
keys Permissions to keys String array containing any of:
'all'
'backup'
'create'
'decrypt'
'delete'
'encrypt'
'get'
'import'
'list'
'purge'
'recover'
'release'
'restore'
'sign'
'unwrapKey'
'update'
'verify'
'wrapKey'
secrets Permissions to secrets String array containing any of:
'all'
'backup'
'delete'
'get'
'list'
'purge'
'recover'
'restore'
'set'
storage Permissions to storage accounts String array containing any of:
'all'
'backup'
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'purge'
'recover'
'regeneratekey'
'restore'
'set'
'setsas'
'update'

NetworkRuleSet

Name Description Value
bypass Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. 'AzureServices'
'None'
defaultAction The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. 'Allow'
'Deny'
ipRules The list of IP address rules. IPRule[]
virtualNetworkRules The list of virtual network rules. VirtualNetworkRule[]

IPRule

Name Description Value
value An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). string (required)

VirtualNetworkRule

Name Description Value
id Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. string (required)
ignoreMissingVnetServiceEndpoint Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. bool

Sku

Name Description Value
family SKU family name 'A'
name SKU name to specify whether the key vault is a standard vault or a premium vault. 'premium'
'standard'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
SAS 9.4 and Viya Quickstart Template for Azure

Deploy to Azure
The SAS® 9.4 and Viya QuickStart Template for Azure deploy these products on the cloud: SAS® Enterprise BI Server 9.4, SAS® Enterprise Miner 15.1, and SAS® Visual Analytics 8.5 on Linux, and SAS® Visual Data Mining and Machine Learning 8.5 on Linux for Viya. This QuickStart is a reference architecture for users who wants to deploy the combination of SAS® 9.4 and Viya on Azure using cloud-friendly technologies. By deploying the SAS® platform on Azure, you get an integrated environment of SAS® 9.4 and Viya environments so you can take advantage of both worlds. SAS® Viya is a cloud-enabled, in-memory analytics engine. It uses elastic, scalable, and fault-tolerant processing to address complex analytical challenges. SAS® Viya provides faster processing for analytics by using a standardized code base that supports programming in SAS®, Python, R, Java, and Lua. It also supports cloud, on-premises, or hybrid environments and deploys seamlessly to any infrastructure or application ecosystem.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Azure Machine Learning Workspace

Deploy to Azure
This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging
Create a KeyVault

Deploy to Azure
This module allows you to create a KeyVault.
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
# Create a new encrypted windows vm from gallery image.

Deploy to Azure
This template creates a new encrypted windows vm using the server 2k12 gallery image.
Create new encrypted managed disks win-vm from gallery image

Deploy to Azure
This template creates a new encrypted managed disks windows vm using the server 2k12 gallery image.
This template encrypts a running Windows VMSS

Deploy to Azure
This template enables encryption on a running Windows VM Scale Set
Enable encryption on a running Windows VM.

Deploy to Azure
This template enables encryption on a running windows vm.
Create and encrypt a new Windows VMSS with jumpbox

Deploy to Azure
This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of serveral Windows versions. This template also deploys a jumpbox with a public IP address in the same virtual network. You can connect to the jumpbox via this public IP address, then connect from there to VMs in the scale set via private IP addresses.This template enables encryption on the VM Scale Set of Windows VMs.
Create an Azure Key Vault and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret.
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Create a Key Vault and a list of secrets

Deploy to Azure
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create Key Vault with logging enabled

Deploy to Azure
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources.
Advanced template for Azure Machine Learning workspace

Deploy to Azure
A template that creates Azure Machine Learning workspace with private endpoints and resources behind VNET
Create an Azure Machine Learning service workspace.

Deploy to Azure
This template creates an Azure Machine Learning service workspace.
Create AML workspace with multiple Datasets & Datastores

Deploy to Azure
This template creates Azure Machine Learning workspace with multiple datasets & datastores.
Create an AKS compute target with a Private IP address.

Deploy to Azure
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Create an Application Gateway V2 with Key Vault

Deploy to Azure
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway.
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
App Service Environment with Azure SQL backend

Deploy to Azure
This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment.
SAS 9.4 and Viya Quickstart Template for Azure

Deploy to Azure
The SAS® 9.4 and Viya QuickStart Template for Azure deploy these products on the cloud: SAS® Enterprise BI Server 9.4, SAS® Enterprise Miner 15.1, and SAS® Visual Analytics 8.5 on Linux, and SAS® Visual Data Mining and Machine Learning 8.5 on Linux for Viya. This QuickStart is a reference architecture for users who wants to deploy the combination of SAS® 9.4 and Viya on Azure using cloud-friendly technologies. By deploying the SAS® platform on Azure, you get an integrated environment of SAS® 9.4 and Viya environments so you can take advantage of both worlds. SAS® Viya is a cloud-enabled, in-memory analytics engine. It uses elastic, scalable, and fault-tolerant processing to address complex analytical challenges. SAS® Viya provides faster processing for analytics by using a standardized code base that supports programming in SAS®, Python, R, Java, and Lua. It also supports cloud, on-premises, or hybrid environments and deploys seamlessly to any infrastructure or application ecosystem.