Microsoft.KeyVault vaults 2016-10-01

Template format

To create a Microsoft.KeyVault/vaults resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2016-10-01",
  "location": "string",
  "tags": {},
  "properties": {
    "tenantId": "string",
    "sku": {
      "family": "A",
      "name": "string"
    },
    "accessPolicies": [
      {
        "tenantId": "string",
        "objectId": "string",
        "applicationId": "string",
        "permissions": {
          "keys": [
            "string"
          ],
          "secrets": [
            "string"
          ],
          "certificates": [
            "string"
          ],
          "storage": [
            "string"
          ]
        }
      }
    ],
    "vaultUri": "string",
    "enabledForDeployment": "boolean",
    "enabledForDiskEncryption": "boolean",
    "enabledForTemplateDeployment": "boolean",
    "enableSoftDelete": "boolean",
    "createMode": "string",
    "enablePurgeProtection": "boolean"
  },
  "resources": []
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.KeyVault/vaults object

Note

In Bicep, type and apiVersion are specified in the first line of the resource declaration. Use the format <type>@<apiVersion>. Don't set those properties in the resource body.

Name Type Required Value
name string Yes Name of the vault
type enum Yes For JSON - Microsoft.KeyVault/vaults
apiVersion enum Yes For JSON - 2016-10-01
location string Yes The supported Azure location where the key vault should be created.
tags object No The tags that will be assigned to the key vault.
properties object Yes Properties of the vault - VaultProperties object
resources array No accessPolicies

VaultProperties object

Name Type Required Value
tenantId string Yes The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. - globally unique identifier
sku object Yes SKU details - Sku object
accessPolicies array No An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required. - AccessPolicyEntry object
vaultUri string No The URI of the vault for performing operations on keys and secrets. This property is readonly.
enabledForDeployment boolean No Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
enabledForDiskEncryption boolean No Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
enabledForTemplateDeployment boolean No Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
enableSoftDelete boolean No Property specifying whether recoverable deletion is enabled for this key vault. Setting this property to true activates the soft delete feature, whereby vaults or vault entities can be recovered after deletion. Enabling this functionality is irreversible - that is, the property does not accept false as its value.
createMode enum No The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default
enablePurgeProtection boolean No Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value.

Sku object

Name Type Required Value
family enum Yes SKU family name - A
name enum Yes SKU name to specify whether the key vault is a standard vault or a premium vault. - standard or premium

AccessPolicyEntry object

Name Type Required Value
tenantId string Yes The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. - globally unique identifier
objectId string Yes The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
applicationId string No Application ID of the client making request on behalf of a principal - globally unique identifier
permissions object Yes Permissions the identity has for keys, secrets and certificates. - Permissions object

Permissions object

Name Type Required Value
keys array No Permissions to keys - encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, purge
secrets array No Permissions to secrets - get, list, set, delete, backup, restore, recover, purge
certificates array No Permissions to certificates - get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge
storage array No Permissions to storage accounts - get, list, delete, set, update, regeneratekey, recover, purge, backup, restore, setsas, listsas, getsas, deletesas

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
# Create a new encrypted windows vm from gallery image.

Deploy to Azure
This template creates a new encrypted windows vm using the server 2k12 gallery image.
# Create a new encrypted managed disks windows vm from gallery image.

Deploy to Azure
This template creates a new encrypted managed disks windows vm using the server 2k12 gallery image.
This template encrypts a running Windows VMSS

Deploy to Azure
This template enables encryption on a running Windows VM Scale Set
Enable encryption on a running Windows VM.

Deploy to Azure
This template enables encryption on a running windows vm.
Create and encrypt a new Windows VMSS with jumpbox

Deploy to Azure
This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of serveral Windows versions. This template also deploys a jumpbox with a public IP address in the same virtual network. You can connect to the jumpbox via this public IP address, then connect from there to VMs in the scale set via private IP addresses.This template enables encryption on the VM Scale Set of Windows VMs.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Continuous Deployment to VM Scale Sets using Spinnaker

Deploy to Azure
This template allows you to install Spinnaker on VM or AKS. Specifically, as for the VM scenario you can deploy and configure a DevOps pipeline from an Aptly repository to a VM Scale Set in Azure.
Azure Machine Learning Workspace

Deploy to Azure
This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging
Create a KeyVault

Deploy to Azure
This module allows you to create a KeyVault.
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
# Create a new encrypted windows vm from gallery image.

Deploy to Azure
This template creates a new encrypted windows vm using the server 2k12 gallery image.
# Create a new encrypted managed disks windows vm from gallery image.

Deploy to Azure
This template creates a new encrypted managed disks windows vm using the server 2k12 gallery image.
This template encrypts a running Windows VMSS

Deploy to Azure
This template enables encryption on a running Windows VM Scale Set
Enable encryption on a running Windows VM.

Deploy to Azure
This template enables encryption on a running windows vm.
Create and encrypt a new Windows VMSS with jumpbox

Deploy to Azure
This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of serveral Windows versions. This template also deploys a jumpbox with a public IP address in the same virtual network. You can connect to the jumpbox via this public IP address, then connect from there to VMs in the scale set via private IP addresses.This template enables encryption on the VM Scale Set of Windows VMs.
Create an Azure Key Vault and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret.
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Create a Key Vault and a list of secrets

Deploy to Azure
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create Key Vault with logging enabled

Deploy to Azure
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources.
Advanced template for Azure Machine Learning workspace

Deploy to Azure
A template that creates Azure Machine Learning workspace with private endpoints and resources behind VNET
Create an Azure Machine Learning service workspace.

Deploy to Azure
This template creates an Azure Machine Learning service workspace.
Create AML workspace with multiple Datasets & Datastores

Deploy to Azure
This template creates Azure Machine Learning workspace with multiple datasets & datastores.
Create an AKS compute target with a Private IP address.

Deploy to Azure
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Create an Application Gateway V2 with Key Vault

Deploy to Azure
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway.
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
App Service Environment with Azure SQL backend

Deploy to Azure
This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment.
SAS 9.4 and Viya Quickstart Template for Azure

Deploy to Azure
The SAS® 9.4 and Viya QuickStart Template for Azure deploy these products on the cloud: SAS® Enterprise BI Server 9.4, SAS® Enterprise Miner 15.1, and SAS® Visual Analytics 8.5 on Linux, and SAS® Visual Data Mining and Machine Learning 8.5 on Linux for Viya. This QuickStart is a reference architecture for users who wants to deploy the combination of SAS® 9.4 and Viya on Azure using cloud-friendly technologies. By deploying the SAS® platform on Azure, you get an integrated environment of SAS® 9.4 and Viya environments so you can take advantage of both worlds. SAS® Viya is a cloud-enabled, in-memory analytics engine. It uses elastic, scalable, and fault-tolerant processing to address complex analytical challenges. SAS® Viya provides faster processing for analytics by using a standardized code base that supports programming in SAS®, Python, R, Java, and Lua. It also supports cloud, on-premises, or hybrid environments and deploys seamlessly to any infrastructure or application ecosystem.