Microsoft.KeyVault vaults 2019-09-01

Template format

To create a Microsoft.KeyVault/vaults resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2019-09-01",
  "location": "string",
  "tags": {},
  "properties": {
    "tenantId": "string",
    "sku": {
      "family": "A",
      "name": "string"
    },
    "accessPolicies": [
      {
        "tenantId": "string",
        "objectId": "string",
        "applicationId": "string",
        "permissions": {
          "keys": [
            "string"
          ],
          "secrets": [
            "string"
          ],
          "certificates": [
            "string"
          ],
          "storage": [
            "string"
          ]
        }
      }
    ],
    "vaultUri": "string",
    "enabledForDeployment": "boolean",
    "enabledForDiskEncryption": "boolean",
    "enabledForTemplateDeployment": "boolean",
    "enableSoftDelete": "boolean",
    "softDeleteRetentionInDays": "integer",
    "enableRbacAuthorization": "boolean",
    "createMode": "string",
    "enablePurgeProtection": "boolean",
    "networkAcls": {
      "bypass": "string",
      "defaultAction": "string",
      "ipRules": [
        {
          "value": "string"
        }
      ],
      "virtualNetworkRules": [
        {
          "id": "string"
        }
      ]
    }
  },
  "resources": []
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.KeyVault/vaults object

Name Type Required Value
name string Yes Name of the vault
type enum Yes Microsoft.KeyVault/vaults
apiVersion enum Yes 2019-09-01
location string Yes The supported Azure location where the key vault should be created.
tags object No The tags that will be assigned to the key vault.
properties object Yes Properties of the vault - VaultProperties object
resources array No privateEndpointConnections accessPolicies

VaultProperties object

Name Type Required Value
tenantId string Yes The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. - globally unique identifier
sku object Yes SKU details - Sku object
accessPolicies array No An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required. - AccessPolicyEntry object
vaultUri string No The URI of the vault for performing operations on keys and secrets.
enabledForDeployment boolean No Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
enabledForDiskEncryption boolean No Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
enabledForTemplateDeployment boolean No Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
enableSoftDelete boolean No Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false.
softDeleteRetentionInDays integer No softDelete data retention days. It accepts >=7 and <=90.
enableRbacAuthorization boolean No Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.
createMode enum No The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default
enablePurgeProtection boolean No Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value.
networkAcls object No Rules governing the accessibility of the key vault from specific network locations. - NetworkRuleSet object

Sku object

Name Type Required Value
family enum Yes SKU family name - A
name enum Yes SKU name to specify whether the key vault is a standard vault or a premium vault. - standard or premium

AccessPolicyEntry object

Name Type Required Value
tenantId string Yes The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. - globally unique identifier
objectId string Yes The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
applicationId string No Application ID of the client making request on behalf of a principal - globally unique identifier
permissions object Yes Permissions the identity has for keys, secrets and certificates. - Permissions object

NetworkRuleSet object

Name Type Required Value
bypass enum No Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. - AzureServices or None
defaultAction enum No The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. - Allow or Deny
ipRules array No The list of IP address rules. - IPRule object
virtualNetworkRules array No The list of virtual network rules. - VirtualNetworkRule object

Permissions object

Name Type Required Value
keys array No Permissions to keys - encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, purge
secrets array No Permissions to secrets - get, list, set, delete, backup, restore, recover, purge
certificates array No Permissions to certificates - get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge, backup, restore
storage array No Permissions to storage accounts - get, list, delete, set, update, regeneratekey, recover, purge, backup, restore, setsas, listsas, getsas, deletesas

IPRule object

Name Type Required Value
value string Yes An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78).

VirtualNetworkRule object

Name Type Required Value
id string Yes Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'.

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an Application Gateway V2 with Key Vault

Deploy to Azure
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway.
Create an Azure Key Vault and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret.
Create an Azure Machine Learning service workspace.

Deploy to Azure
This template creates an Azure Machine Learning service workspace.
Create AML workspace with multiple Datasets & Datastores

Deploy to Azure
This template creates Azure Machine Learning workspace with multiple datasets & datastores.
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Create a Key Vault and a list of secrets

Deploy to Azure
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create Key Vault with logging enabled

Deploy to Azure
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources.
Advanced template for Azure Machine Learning workspace

Deploy to Azure
A template that creates Azure Machine Learning workspace with private endpoints and resources behind VNET
Create an AKS compute target with a Private IP address.

Deploy to Azure
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Continuous Deployment to VM Scale Sets with Jenkins and Spinnaker

Deploy to Azure
This template allows you to deploy and configure a DevOps pipeline from an Aptly repository to a VM Scale Set in Azure.
Continuous Deployment to VM Scale Sets using Spinnaker

Deploy to Azure
This template allows you to install Spinnaker on VM or AKS. Specifically, as for the VM scenario you can deploy and configure a DevOps pipeline from an Aptly repository to a VM Scale Set in Azure.
Create a KeyVault

Deploy to Azure
This module allows you to create a KeyVault.