Vaults - Update Access Policy

Update access policies in a key vault in the specified subscription.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicies/{operationKind}?api-version=2019-09-01

URI Parameters

Name In Required Type Description
operationKind
path True

Name of the operation

resourceGroupName
path True
  • string

The name of the Resource Group to which the vault belongs.

subscriptionId
path True
  • string

Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.

vaultName
path True
  • string

Name of the vault

Regex pattern: ^[a-zA-Z0-9-]{3,24}$

api-version
query True
  • string

Client Api Version.

Request Body

Name Required Type Description
properties True

Properties of the access policy

Responses

Name Type Description
200 OK

The updated access policies

201 Created

The updated access policies

400 Bad Request

Bad request.

404 Not Found

The specified resource does not exist.

Other Status Codes

A conflict occurred to prevent the operation from completing.

Other Status Codes

Error response describing why the operation failed.

Examples

Add an access policy, or update an access policy with new permissions

Sample Request

PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/add?api-version=2019-09-01
{
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}

Sample Response

{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}
{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}
{
  "error": {
    "code": "",
    "message": ""
  }
}
{
  "error": {
    "code": "",
    "message": ""
  }
}
{
  "error": {
    "code": "",
    "message": ""
  }
}
{
  "error": {
    "code": "",
    "message": ""
  }
}

Definitions

AccessPolicyEntry

An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.

AccessPolicyUpdateKind

Name of the operation

CloudError

An error response from Key Vault resource provider

CloudErrorBody

An error response from Key Vault resource provider

Permissions

Permissions the identity has for keys, secrets, certificates and storage.

VaultAccessPolicyParameters

Parameters for updating the access policy in a vault

VaultAccessPolicyProperties

Properties of the vault access policy

AccessPolicyEntry

An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.

Name Type Description
applicationId
  • string

Application ID of the client making request on behalf of a principal

objectId
  • string

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.

permissions

Permissions the identity has for keys, secrets and certificates.

tenantId
  • string

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

AccessPolicyUpdateKind

Name of the operation

Name Type Description
add
  • string
remove
  • string
replace
  • string

CloudError

An error response from Key Vault resource provider

Name Type Description
error

An error response from Key Vault resource provider

CloudErrorBody

An error response from Key Vault resource provider

Name Type Description
code
  • string

Error code. This is a mnemonic that can be consumed programmatically.

message
  • string

User friendly error message. The message is typically localized and may vary with service version.

Permissions

Permissions the identity has for keys, secrets, certificates and storage.

Name Type Description
certificates
  • string[]

Permissions to certificates

keys
  • string[]

Permissions to keys

secrets
  • string[]

Permissions to secrets

storage
  • string[]

Permissions to storage accounts

VaultAccessPolicyParameters

Parameters for updating the access policy in a vault

Name Type Description
id
  • string

The resource id of the access policy.

location
  • string

The resource type of the access policy.

name
  • string

The resource name of the access policy.

properties

Properties of the access policy

type
  • string

The resource name of the access policy.

VaultAccessPolicyProperties

Properties of the vault access policy

Name Type Description
accessPolicies

An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.