Microsoft.KeyVault vaults/keys 2021-04-01-preview

Bicep resource definition

The vaults/keys resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Remarks

For guidance on using key vaults for secure values, see Manage secrets by using Bicep.

For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.

For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.

Resource format

To create a Microsoft.KeyVault/vaults/keys resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.KeyVault/vaults/keys@2021-04-01-preview' = {
  name: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  parent: resourceSymbolicName
  properties: {
    attributes: {
      enabled: bool
      exp: int
      nbf: int
    }
    curveName: 'string'
    keyOps: [
      'string'
    ]
    keySize: int
    kty: 'string'
    rotationPolicy: {
      attributes: {
        expiryTime: 'string'
      }
      lifetimeActions: [
        {
          action: {
            type: 'string'
          }
          trigger: {
            timeAfterCreate: 'string'
            timeBeforeExpiry: 'string'
          }
        }
      ]
    }
  }
}

Property values

vaults/keys

Name Description Value
name The resource name

See how to set names and types for child resources in Bicep.
string (required)
tags The tags that will be assigned to the key. Dictionary of tag names and values. See Tags in templates
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
Symbolic name for resource of type: vaults
properties The properties of the key to be created. KeyProperties (required)

KeyProperties

Name Description Value
attributes The attributes of the key. KeyAttributes
curveName The elliptic curve name. For valid values, see JsonWebKeyCurveName. 'P-256'
'P-256K'
'P-384'
'P-521'
keyOps String array containing any of:
'decrypt'
'encrypt'
'import'
'sign'
'unwrapKey'
'verify'
'wrapKey'
keySize The key size in bits. For example: 2048, 3072, or 4096 for RSA. int
kty The type of the key. For valid values, see JsonWebKeyType. 'EC'
'EC-HSM'
'RSA'
'RSA-HSM'
rotationPolicy Key rotation policy in response. It will be used for both output and input. Omitted if empty RotationPolicy

KeyAttributes

Name Description Value
enabled Determines whether or not the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int

RotationPolicy

Name Description Value
attributes The attributes of key rotation policy. KeyRotationPolicyAttributes
lifetimeActions The lifetimeActions for key rotation action. LifetimeAction[]

KeyRotationPolicyAttributes

Name Description Value
expiryTime The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string

LifetimeAction

Name Description Value
action The action of key rotation policy lifetimeAction. Action
trigger The trigger of key rotation policy lifetimeAction. Trigger

Action

Name Description Value
type The type of the action. The value should be compared case-insensitively. 'Notify'
'Rotate'

Trigger

Name Description Value
timeAfterCreate The time duration after key creation to rotate the key. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string
timeBeforeExpiry The time duration before key expiring to rotate the key. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create a Key in Azure KeyVault

Deploy to Azure
This module allows you to create a key in an existing KeyVault.
Azure Storage Account Encryption with customer-managed key

Deploy to Azure
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault.

ARM template resource definition

The vaults/keys resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Remarks

For guidance on using key vaults for secure values, see Manage secrets by using Bicep.

For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.

For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.

Resource format

To create a Microsoft.KeyVault/vaults/keys resource, add the following JSON to your template.

{
  "type": "Microsoft.KeyVault/vaults/keys",
  "apiVersion": "2021-04-01-preview",
  "name": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "properties": {
    "attributes": {
      "enabled": "bool",
      "exp": "int",
      "nbf": "int"
    },
    "curveName": "string",
    "keyOps": [ "string" ],
    "keySize": "int",
    "kty": "string",
    "rotationPolicy": {
      "attributes": {
        "expiryTime": "string"
      },
      "lifetimeActions": [
        {
          "action": {
            "type": "string"
          },
          "trigger": {
            "timeAfterCreate": "string",
            "timeBeforeExpiry": "string"
          }
        }
      ]
    }
  }
}

Property values

vaults/keys

Name Description Value
type The resource type 'Microsoft.KeyVault/vaults/keys'
apiVersion The resource api version '2021-04-01-preview'
name The resource name

See how to set names and types for child resources in JSON ARM templates.
string (required)
tags The tags that will be assigned to the key. Dictionary of tag names and values. See Tags in templates
properties The properties of the key to be created. KeyProperties (required)

KeyProperties

Name Description Value
attributes The attributes of the key. KeyAttributes
curveName The elliptic curve name. For valid values, see JsonWebKeyCurveName. 'P-256'
'P-256K'
'P-384'
'P-521'
keyOps String array containing any of:
'decrypt'
'encrypt'
'import'
'sign'
'unwrapKey'
'verify'
'wrapKey'
keySize The key size in bits. For example: 2048, 3072, or 4096 for RSA. int
kty The type of the key. For valid values, see JsonWebKeyType. 'EC'
'EC-HSM'
'RSA'
'RSA-HSM'
rotationPolicy Key rotation policy in response. It will be used for both output and input. Omitted if empty RotationPolicy

KeyAttributes

Name Description Value
enabled Determines whether or not the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int

RotationPolicy

Name Description Value
attributes The attributes of key rotation policy. KeyRotationPolicyAttributes
lifetimeActions The lifetimeActions for key rotation action. LifetimeAction[]

KeyRotationPolicyAttributes

Name Description Value
expiryTime The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string

LifetimeAction

Name Description Value
action The action of key rotation policy lifetimeAction. Action
trigger The trigger of key rotation policy lifetimeAction. Trigger

Action

Name Description Value
type The type of the action. The value should be compared case-insensitively. 'Notify'
'Rotate'

Trigger

Name Description Value
timeAfterCreate The time duration after key creation to rotate the key. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string
timeBeforeExpiry The time duration before key expiring to rotate the key. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create a Key in Azure KeyVault

Deploy to Azure
This module allows you to create a key in an existing KeyVault.
Azure Storage Account Encryption with customer-managed key

Deploy to Azure
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault.

Terraform (AzAPI provider) resource definition

The vaults/keys resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/keys resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.KeyVault/vaults/keys@2021-04-01-preview"
  name = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  body = jsonencode({
    properties = {
      attributes = {
        enabled = bool
        exp = int
        nbf = int
      }
      curveName = "string"
      keyOps = [
        "string"
      ]
      keySize = int
      kty = "string"
      rotationPolicy = {
        attributes = {
          expiryTime = "string"
        }
        lifetimeActions = [
          {
            action = {
              type = "string"
            }
            trigger = {
              timeAfterCreate = "string"
              timeBeforeExpiry = "string"
            }
          }
        ]
      }
    }
  })
}

Property values

vaults/keys

Name Description Value
type The resource type "Microsoft.KeyVault/vaults/keys@2021-04-01-preview"
name The resource name string (required)
parent_id The ID of the resource that is the parent for this resource. ID for resource of type: vaults
tags The tags that will be assigned to the key. Dictionary of tag names and values.
properties The properties of the key to be created. KeyProperties (required)

KeyProperties

Name Description Value
attributes The attributes of the key. KeyAttributes
curveName The elliptic curve name. For valid values, see JsonWebKeyCurveName. "P-256"
"P-256K"
"P-384"
"P-521"
keyOps String array containing any of:
"decrypt"
"encrypt"
"import"
"sign"
"unwrapKey"
"verify"
"wrapKey"
keySize The key size in bits. For example: 2048, 3072, or 4096 for RSA. int
kty The type of the key. For valid values, see JsonWebKeyType. "EC"
"EC-HSM"
"RSA"
"RSA-HSM"
rotationPolicy Key rotation policy in response. It will be used for both output and input. Omitted if empty RotationPolicy

KeyAttributes

Name Description Value
enabled Determines whether or not the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int

RotationPolicy

Name Description Value
attributes The attributes of key rotation policy. KeyRotationPolicyAttributes
lifetimeActions The lifetimeActions for key rotation action. LifetimeAction[]

KeyRotationPolicyAttributes

Name Description Value
expiryTime The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string

LifetimeAction

Name Description Value
action The action of key rotation policy lifetimeAction. Action
trigger The trigger of key rotation policy lifetimeAction. Trigger

Action

Name Description Value
type The type of the action. The value should be compared case-insensitively. "Notify"
"Rotate"

Trigger

Name Description Value
timeAfterCreate The time duration after key creation to rotate the key. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string
timeBeforeExpiry The time duration before key expiring to rotate the key. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string