Microsoft.KeyVault/vaults template reference

API Version: 2018-02-14

Template format

To create a Microsoft.KeyVault/vaults resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2018-02-14",
  "location": "string",
  "tags": {},
  "properties": {
    "tenantId": "string",
    "sku": {
      "family": "A",
      "name": "string"
    },
    "accessPolicies": [
      {
        "tenantId": "string",
        "objectId": "string",
        "applicationId": "string",
        "permissions": {
          "keys": [
            "string"
          ],
          "secrets": [
            "string"
          ],
          "certificates": [
            "string"
          ],
          "storage": [
            "string"
          ]
        }
      }
    ],
    "vaultUri": "string",
    "enabledForDeployment": boolean,
    "enabledForDiskEncryption": boolean,
    "enabledForTemplateDeployment": boolean,
    "enableSoftDelete": boolean,
    "createMode": "string",
    "enablePurgeProtection": boolean,
    "networkAcls": {
      "bypass": "string",
      "defaultAction": "string",
      "ipRules": [
        {
          "value": "string"
        }
      ],
      "virtualNetworkRules": [
        {
          "id": "string"
        }
      ]
    }
  },
  "resources": []
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.KeyVault/vaults object

Name Type Required Value
name string Yes
type enum Yes Microsoft.KeyVault/vaults
apiVersion enum Yes 2018-02-14
location string Yes The supported Azure location where the key vault should be created.
tags object No The tags that will be assigned to the key vault.
properties object Yes Properties of the vault - VaultProperties object
resources array No accessPolicies

VaultProperties object

Name Type Required Value
tenantId string Yes The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. - globally unique identifier
sku object Yes SKU details - Sku object
accessPolicies array No An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. - AccessPolicyEntry object
vaultUri string No The URI of the vault for performing operations on keys and secrets.
enabledForDeployment boolean No Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
enabledForDiskEncryption boolean No Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
enabledForTemplateDeployment boolean No Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
enableSoftDelete boolean No Property to specify whether the 'soft delete' functionality is enabled for this key vault. It does not accept false value.
createMode enum No The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default
enablePurgeProtection boolean No Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value.
networkAcls object No A collection of rules governing the accessibility of the vault from specific network locations. - NetworkRuleSet object

Sku object

Name Type Required Value
family enum Yes SKU family name - A
name enum Yes SKU name to specify whether the key vault is a standard vault or a premium vault. - standard or premium

AccessPolicyEntry object

Name Type Required Value
tenantId string Yes The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. - globally unique identifier
objectId string Yes The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
applicationId string No Application ID of the client making request on behalf of a principal - globally unique identifier
permissions object Yes Permissions the identity has for keys, secrets and certificates. - Permissions object

NetworkRuleSet object

Name Type Required Value
bypass enum No Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. - AzureServices or None
defaultAction enum No The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. - Allow or Deny
ipRules array No The list of IP address rules. - IPRule object
virtualNetworkRules array No The list of virtual network rules. - VirtualNetworkRule object

Permissions object

Name Type Required Value
keys array No Permissions to keys - encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, purge
secrets array No Permissions to secrets - get, list, set, delete, backup, restore, recover, purge
certificates array No Permissions to certificates - get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge, backup, restore
storage array No Permissions to storage accounts - get, list, delete, set, update, regeneratekey, recover, purge, backup, restore, setsas, listsas, getsas, deletesas

IPRule object

Name Type Required Value
value string Yes An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78).

VirtualNetworkRule object

Name Type Required Value
id string Yes Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'.

Quickstart templates

For example templates, see KeyVault templates.