New-AzKeyVault

Creates a key vault.

Syntax

New-AzKeyVault
   [-Name] <String>
   [-ResourceGroupName] <String>
   [-Location] <String>
   [-EnabledForDeployment]
   [-EnabledForTemplateDeployment]
   [-EnabledForDiskEncryption]
   [-DisableSoftDelete]
   [-EnablePurgeProtection]
   [-SoftDeleteRetentionInDays <Int32>]
   [-Sku <SkuName>]
   [-Tag <Hashtable>]
   [-NetworkRuleSet <PSKeyVaultNetworkRuleSet>]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The New-AzKeyVault cmdlet creates a key vault in the specified resource group. This cmdlet also grants permissions to the currently logged on user to add, remove, or list keys and secrets in the key vault. Note: If you see the error The subscription is not registered to use namespace 'Microsoft.KeyVault' when you try to create your new key vault, run Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault" and then rerun your New-AzKeyVault command. For more information, see Register-AzResourceProvider.

Examples

Example 1: Create a Standard key vault

PS C:\> New-AzKeyVault -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -Location 'East US'

Vault Name                       : contoso03vault
Resource Group Name              : group14
Location                         : East US
Resource ID                      : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/group14/providers
                                   /Microsoft.KeyVault/vaults/contoso03vault
Vault URI                        : https://contoso03vault.vault.azure.net/
Tenant ID                        : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
SKU                              : Standard
Enabled For Deployment?          : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption?     : False
Soft Delete Enabled?             :
Access Policies                  :
                                   Tenant ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Object ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Application ID                             :
                                   Display Name                               : User Name (username@microsoft.com)
                                   Permissions to Keys                        : get, create, delete, list, update,
                                   import, backup, restore, recover
                                   Permissions to Secrets                     : get, list, set, delete, backup,
                                   restore, recover
                                   Permissions to Certificates                : get, delete, list, create, import,
                                   update, deleteissuers, getissuers, listissuers, managecontacts, manageissuers,
                                   setissuers, recover, backup, restore
                                   Permissions to (Key Vault Managed) Storage : delete, deletesas, get, getsas, list,
                                   listsas, regeneratekey, set, setsas, update, recover, backup, restore

Tags                             :

This command creates a key vault named Contoso03Vault, in the Azure region East US. The command adds the key vault to the resource group named Group14. Because the command does not specify a value for the SKU parameter, it creates a Standard key vault.

Example 2: Create a Premium key vault

PS C:\>New-AzKeyVault -VaultName 'Contoso03Vault' -ResourceGroupName 'Group14' -Location 'East US' -Sku 'Premium'

Vault Name                       : contoso03vault
Resource Group Name              : group14
Location                         : East US
Resource ID                      : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/group14/providers
                                   /Microsoft.KeyVault/vaults/contoso03vault
Vault URI                        : https://contoso03vault.vault.azure.net/
Tenant ID                        : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
SKU                              : Premium
Enabled For Deployment?          : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption?     : False
Soft Delete Enabled?             :
Access Policies                  :
                                   Tenant ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Object ID                                  : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
                                   Application ID                             :
                                   Display Name                               : User Name (username@microsoft.com)
                                   Permissions to Keys                        : get, create, delete, list, update,
                                   import, backup, restore, recover
                                   Permissions to Secrets                     : get, list, set, delete, backup,
                                   restore, recover
                                   Permissions to Certificates                : get, delete, list, create, import,
                                   update, deleteissuers, getissuers, listissuers, managecontacts, manageissuers,
                                   setissuers, recover, backup, restore
                                   Permissions to (Key Vault Managed) Storage : delete, deletesas, get, getsas, list,
                                   listsas, regeneratekey, set, setsas, update, recover, backup, restore

Tags                             :

This command creates a key vault, just like the previous example. However, it specifies a value of Premium for the SKU parameter to create a Premium key vault.

Example 3

PS C:\> $frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name frontendSubnet -AddressPrefix "110.0.1.0/24" -ServiceEndpoint Microsoft.KeyVault
PS C:\> $virtualNetwork = New-AzVirtualNetwork -Name myVNet -ResourceGroupName myRG -Location westus -AddressPrefix "110.0.0.0/16" -Subnet $frontendSubnet
PS C:\> $myNetworkResId = (Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myRG).Subnets[0].Id
PS C:\> $ruleSet = New-AzKeyVaultNetworkRuleSetObject -DefaultAction Allow -Bypass AzureServices -IpAddressRange "110.0.1.0/24" -VirtualNetworkResourceId $myNetworkResId
PS C:\> New-AzKeyVault -ResourceGroupName "myRg" -VaultName "myVault" -NetworkRuleSet $ruleSet

Creating a key vault and specifies network rules to allow access to the specified IP address from the virtual network identified by $myNetworkResId. See New-AzKeyVaultNetworkRuleSetObject for more information.

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DisableSoftDelete

If specified, 'soft delete' functionality is disabled for this key vault.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnablePurgeProtection

If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnabledForDeployment

Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-EnabledForDiskEncryption

Enables the Azure disk encryption service to get secrets and unwrap keys from this key vault.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-EnabledForTemplateDeployment

Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Location

Specifies the Azure region in which to create the key vault. Use the command Get-AzLocation to see your choices.

Type:String
Position:2
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Name

Specifies a name of the key vault to create. The name can be any combination of letters, digits, or hyphens. The name must start and end with a letter or digit. The name must be universally unique.

Type:String
Aliases:VaultName
Position:0
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-NetworkRuleSet

Specifies the network rule set of the vault. It governs the accessibility of the key vault from specific network locations. Created by New-AzKeyVaultNetworkRuleSetObject.

Type:Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultNetworkRuleSet
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-ResourceGroupName

Specifies the name of an existing resource group in which to create the key vault.

Type:String
Position:1
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Sku

Specifies the SKU of the key vault instance. For information about which features are available for each SKU, see the Azure Key Vault Pricing website (https://go.microsoft.com/fwlink/?linkid=512521).

Type:SkuName
Accepted values:Standard, Premium
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-SoftDeleteRetentionInDays

Specifies how long deleted resources are retained, and how long until a vault or an object in the deleted state can be purged. The default is 90 days.

Type:Int32
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Tag

Key-value pairs in the form of a hash table. For example: @{key0="value0";key1=$null;key2="value2"}

Type:Hashtable
Aliases:Tags
Position:Named
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String

SwitchParameter

SkuName

Hashtable

Outputs

PSKeyVault