Vaults - Update Access Policy

Update access policies in a key vault in the specified subscription.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicies/{operationKind}?api-version=2018-02-14

URI Parameters

Name In Required Type Description
subscriptionId
path True
  • string

Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.

resourceGroupName
path True
  • string

The name of the Resource Group to which the vault belongs.

vaultName
path True
  • string

Name of the vault

Regex pattern: ^[a-zA-Z0-9-]{3,24}$

operationKind
path True

Name of the operation

api-version
query True
  • string

Client Api Version.

Request Body

Name Required Type Description
properties True

Properties of the access policy

Responses

Name Type Description
200 OK

The updated access policies

201 Created

The updated access policies

Examples

Add an access policy, or update an access policy with new permissions

Sample Request

PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/add?api-version=2018-02-14
{
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}

Sample Response

{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}
{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}

Definitions

AccessPolicyEntry

An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.

AccessPolicyUpdateKind

Name of the operation

Permissions

Permissions the identity has for keys, secrets, certificates and storage.

VaultAccessPolicyParameters

Parameters for updating the access policy in a vault

VaultAccessPolicyProperties

Properties of the vault access policy

AccessPolicyEntry

An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.

Name Type Description
applicationId
  • string

Application ID of the client making request on behalf of a principal

objectId
  • string

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.

permissions

Permissions the identity has for keys, secrets and certificates.

tenantId
  • string

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

AccessPolicyUpdateKind

Name of the operation

Name Type Description
add
  • string
remove
  • string
replace
  • string

Permissions

Permissions the identity has for keys, secrets, certificates and storage.

Name Type Description
certificates
  • string[]

Permissions to certificates

keys
  • string[]

Permissions to keys

secrets
  • string[]

Permissions to secrets

storage
  • string[]

Permissions to storage accounts

VaultAccessPolicyParameters

Parameters for updating the access policy in a vault

Name Type Description
id
  • string

The resource id of the access policy.

location
  • string

The resource type of the access policy.

name
  • string

The resource name of the access policy.

properties

Properties of the access policy

type
  • string

The resource name of the access policy.

VaultAccessPolicyProperties

Properties of the vault access policy

Name Type Description
accessPolicies

An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.