Microsoft.KeyVault vaults/accessPolicies 2018-02-14

Template format

To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "apiVersion": "2018-02-14",
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "string",
        "objectId": "string",
        "applicationId": "string",
        "permissions": {
          "keys": [
            "string"
          ],
          "secrets": [
            "string"
          ],
          "certificates": [
            "string"
          ],
          "storage": [
            "string"
          ]
        }
      }
    ]
  }
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.KeyVault/vaults/accessPolicies object

Note

In Bicep, type and apiVersion are specified in the first line of the resource declaration. Use the format <type>@<apiVersion>. Don't set those properties in the resource body.

Name Type Required Value
name enum Yes add, replace, remove
type enum Yes For JSON -accessPolicies
-or-
Microsoft.KeyVault/vaults/accessPolicies

See Set name and type for child resources.
apiVersion enum Yes For JSON - 2018-02-14
properties object Yes Properties of the access policy - VaultAccessPolicyProperties object

VaultAccessPolicyProperties object

Name Type Required Value
accessPolicies array Yes An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. - AccessPolicyEntry object

AccessPolicyEntry object

Name Type Required Value
tenantId string Yes The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. - globally unique identifier
objectId string Yes The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
applicationId string No Application ID of the client making request on behalf of a principal - globally unique identifier
permissions object Yes Permissions the identity has for keys, secrets and certificates. - Permissions object

Permissions object

Name Type Required Value
keys array No Permissions to keys - encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, purge
secrets array No Permissions to secrets - get, list, set, delete, backup, restore, recover, purge
certificates array No Permissions to certificates - get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge, backup, restore
storage array No Permissions to storage accounts - get, list, delete, set, update, regeneratekey, recover, purge, backup, restore, setsas, listsas, getsas, deletesas

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Deploy Data Lake Store account with encryption(Key Vault)

Deploy to Azure
This template allows you to deploy an Azure Data Lake Store account with data encryption enabled. This account uses Azure Key Vault to manage the encryption key.
Deploy an Azure Databricks Workspace and configure CMK

Deploy to Azure
This template allows you to create an Azure Databricks workspace and configure CMK.
User assigned identity role assignment template

Deploy to Azure
A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on
Add KeyVault Access Policy

Deploy to Azure
Add an access policy to an existing KeyVault without removing existing policies.
Create an Azure SQL Server, with data encryption protector

Deploy to Azure
This template creates an Azure SQL server, activates the data encryption protector using a given key stored in a given Key Vault