Azure Key Vault REST API reference

Use Key Vault to safeguard and manage cryptographic keys, certificates and secrets used by cloud applications and services.

Key Vault operations

Operation Description
Check Name Availability Checks that the vault name is valid and is not already in use.
Create Or Update Create or update a key vault in the specified subscription.
Update Access Policy Update access policies in a key vault in the specified subscription.
Get Gets the specified Azure key vault.
List The List operation gets information about the vaults associated with the subscription.
List By Resource Group The List operation gets information about the vaults associated with the subscription and within the specified resource group.
List By Subscription The List operation gets information about the vaults associated with the subscription.
Update Update a key vault in the specified subscription.
Delete Deletes the specified Azure key vault.
Get Deleted Gets the deleted Azure key vault.
List Deleted Gets information about the deleted vaults in a subscription.
Purge Permanently deletes the specified vault.
Operation Description
List By Vault Gets the private link resources supported for the key vault.

Private endpoint connections operations

Operation Description
Get Gets the specified private endpoint connection associated with the key vault.
List By Resource The List operation gets information about the private endpoint connections associated with the vault.
Put Updates the specified private endpoint connection associated with the key vault.
Delete Deletes the specified private endpoint connection associated with the key vault.

Managed HSM operations

Operation Description
Create Or Update Create or update a managed HSM Pool in the specified subscription.
Get Gets the specified managed HSM Pool.
List By Resource Group The List operation gets information about the managed HSM Pools associated with the subscription and within the specified resource group.
List By Subscription The List operation gets information about the managed HSM Pools associated with the subscription.
Update Update a managed HSM Pool in the specified subscription.
Get Deleted Gets the specified deleted managed HSM.
List Deleted The List operation gets information about the deleted managed HSMs associated with the subscription.
Delete Deletes the specified managed HSM Pool.
Purge Deleted Permanently deletes the specified managed HSM.
Operation Description
List By MHSM Resource Gets the private link resources supported for the managed hsm pool.

Private endpoint connections operations

Operation Description
Get Gets the specified private endpoint connection associated with the managed HSM Pool.
List By Resource The List operation gets information about the private endpoint connections associated with the managed HSM Pool.
Put Updates the specified private endpoint connection associated with the managed HSM Pool.
Delete Deletes the specified private endpoint connection associated with the managed HSM Pool.

HSM Security Domain operations

Operation Description
Download Retrieves the Security Domain from the managed HSM. Calling this endpoint can be used to activate a provisioned managed HSM resource.
Download Pending Retrieves the Security Domain download operation status.
Upload Restore the provided Security Domain.
Upload Pending Get Security Domain upload operation status.

Role-based access control operations

Role assignment operations

Operation Description
Get Get the specified role assignment.
List Gets role assignments for a scope.
Create Creates a role assignment.
Delete Deletes a role assignment.

Role definition operations

Operation Description
Get Get the specified role definition.
List Get all role definitions that are applicable at scope and above.
Create Or Update Creates or updates a custom role definition.
Delete Deletes a custom role definition.

Backup/restore operations

Operation Description
Full Backup Creates a full backup using a user-provided SAS token to an Azure blob storage container. This operation is supported only by the Managed HSM service.
Backup Status Returns the status of full backup operation.
Full Restore Restores all key materials using the SAS token pointing to a previously stored Azure Blob storage backup folder.
Selective Restore Restores all key versions of a given key using user supplied SAS token pointing to a previously stored Azure Blob storage backup folder.
Restore Status Returns the status of restore operation.

HSM Security Domain

Operation Description
Full Backup Creates a full backup using a user-provided SAS token to an Azure blob storage container. This operation is supported only by the Managed HSM service.
Backup Status Returns the status of full backup operation.
Full Restore Restores all key materials using the SAS token pointing to a previously stored Azure Blob storage backup folder.
Selective Restore Restores all key versions of a given key using user supplied SAS token pointing to a previously stored Azure Blob storage backup folder.
Restore Status Returns the status of restore operation.

Key operations (Key Vault/Managed HSM)

Operation Description
Get Key Gets the public part of a stored key.
Get Keys List keys in the specified vault.
Get Key Versions Retrieves a list of individual key versions with the same key name.
Create Key Creates a new key, stores it, then returns key parameters and attributes to the client.
Import Key Imports an externally created key, stores it, and returns key parameters and attributes to the client.
Update Key The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault.
Delete Key Deletes a key of any type from storage in Azure Key Vault.
Get Deleted Key Gets the public part of a deleted key.
Get Deleted Keys Lists the deleted keys in the specified vault.
Purge Deleted Key Permanently deletes the specified key.
Recover Deleted Key Recovers the deleted key to its latest version.
Backup Key Requests that a backup of the specified key be downloaded to the client.
Restore Key Restores a backed up key to a vault.
Release Key Releases a key. The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission.

Key operations (Key Vault only)

Operation Description
Rotate Key Creates a new key version, stores it, then returns key parameters, attributes and policy to the client. The operation will rotate the key based on the key policy. It requires the keys/rotate permission.
Get Key Rotation Policy Lists the policy for a key. The GetKeyRotationPolicy operation returns the specified key policy resources in the specified key vault. This operation requires the keys/get permission.
Update Key Rotation Policy Updates the rotation policy for a key. Set specified members in the key policy. Leave others as undefined. This operation requires the keys/update permission.

Key operations (Managed HSM only)

Operation Description
Get Random Bytes Get the requested number of bytes containing random values from a managed HSM.
Rotate Key (Preview) Creates a new key version, stores it, then returns key parameters, attributes and policy to the client. The operation will rotate the key based on the key policy. It requires the keys/rotate permission.
Get Key Rotation Policy (Preview) Lists the policy for a key.The GetKeyRotationPolicy operation returns the specified key policy resources in the specified key vault. This operation requires the keys/get permission. (Managed HSM in Preview)
Update Key Rotation Policy (Preview) Updates the rotation policy for a key. Set specified members in the key policy. Leave others as undefined. This operation requires the keys/update permission.

Cryptographic operations (Key Vault/Managed HSM)

Operation Description
Decrypt Decrypts a single block of encrypted data.
Encrypt Encrypts an arbitrary sequence of bytes using an encryption key that is stored in a key vault.
Wrap Key Wraps a symmetric key using a specified key.
Unwrap Key Unwraps a symmetric key using the specified key that was initially used for wrapping that key.
Sign Creates a signature from a digest using the specified key.
Verify Verifies a signature using a specified key.

Secret operations (Key Vault only)

Operation Description
Get Secret Get a specified secret from a given key vault.
Get Secrets List secrets in a specified key vault.
Get Secret Versions List all versions of the specified secret.
Set Secret Sets a secret in a specified key vault.
Update Secret Updates the attributes associated with a specified secret in a given key vault.
Delete Secret Deletes a secret from a specified key vault.
Get Deleted Secret Gets the specified deleted secret.
Get Deleted Secrets Lists deleted secrets for the specified vault.
Purge Deleted Secret Permanently deletes the specified secret.
Recover Deleted Secret Recovers the deleted secret to the latest version.
Backup Secret Backs up the specified secret.
Restore Secret Restores a backed up secret to a vault.

Storage account key management operations (Key Vault only)

Storage Account configuration operations

Operation Description
Get Storage Account Gets information about a specified storage account. This operation requires the storage/get permission.
Get Storage Accounts List storage accounts managed by the specified key vault. This operation requires the storage/list permission.
Update Storage Account Updates the specified attributes associated with the given storage account. This operation requires the storage/set/update permission.
Set Storage Account Creates or updates a new storage account. This operation requires the storage/set permission.
Delete Storage Account Deletes a storage account. This operation requires the storage/delete permission.
Get Deleted Storage Account Gets the specified deleted storage account.
Get Deleted Storage Accounts Lists deleted storage accounts for the specified vault.
Purge Deleted Storage Account Permanently deletes the specified storage account.
Recover Deleted Storage Account Recovers the deleted storage account.
Backup Storage Account Backs up the specified storage account.
Restore Storage Account Restores a backed up storage account to a vault.

Storage Account key operations

Operation Description
Regenerate Storage Account Key Regenerates the specified key value for the given storage account. This operation requires the storage/regeneratekey permission.

Storage Account SAS operations

Operation Description
Get Sas Definition Gets information about a SAS definition for the specified storage account. This operation requires the storage/getsas permission.
Get Sas Definitions List storage SAS definitions for the given storage account. This operation requires the storage/listsas permission.
Set Sas Definition Creates or updates a new SAS definition for the specified storage account. This operation requires the storage/setsas permission.
Update Sas Definition Updates the specified attributes associated with the given SAS definition. This operation requires the storage/setsas permission.
Delete Sas Definition Deletes a SAS definition from a specified storage account. This operation requires the storage/deletesas permission.
Get Deleted Sas Definition Gets the specified deleted sas definition.
Get Deleted Sas Definitions Lists deleted SAS definitions for the specified vault and storage account.
Recover Deleted Sas Definition Recovers the deleted SAS definition.

Certificate operations (Key Vault only)

Operation Description
Get Certificate Gets information about a certificate.
Get Certificates List certificates in a specified key vault
Get Certificate Versions List the versions of a certificate.
Create Certificate Creates a new certificate.
Import Certificate Imports a certificate into a specified key vault.
Merge Certificate Merges a certificate or a certificate chain with a key pair existing on the server.
Get Certificate Operation Gets the creation operation of a certificate.
Update Certificate Operation Updates a certificate operation.
Delete Certificate Operation Deletes the creation operation for a specific certificate.
Update Certificate Updates the specified attributes associated with the given certificate.
Delete Certificate Deletes a certificate from a specified key vault.
Get Deleted Certificate Retrieves information about the specified deleted certificate.
Get Deleted Certificates Lists the deleted certificates in the specified vault currently available for recovery.
Purge Deleted Certificate Permanently deletes the specified deleted certificate.
Recover Deleted Certificate Recovers the deleted certificate back to its current version under /certificates.
Backup Certificate Backs up the specified certificate.
Restore Certificate Restores a backed up certificate to a vault.

Certificate policy operations

Operation Description
Get Certificate Policy Lists the policy for a certificate.
Update Certificate Policy Updates the policy for a certificate.

Certificate contacts operations

Operation Description
Get Certificate Contacts Lists the certificate contacts for a specified key vault.
Set Certificate Contacts Sets the certificate contacts for the specified key vault.
Delete Certificate Contacts Deletes the certificate contacts for a specified key vault.

Certificate issuer operations

Operation Description
Get Certificate Issuer Lists the specified certificate issuer.
Get Certificate Issuers List certificate issuers for a specified key vault.
Set Certificate Issuer Sets the specified certificate issuer.
Update Certificate Issuer Updates the specified certificate issuer.
Delete Certificate Issuer Deletes the specified certificate issuer.

See also