Microsoft.KeyVault vaults

12/07/2020
7 minutos para ler

Template format

To create a Microsoft.KeyVault/vaults resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2019-09-01",
  "location": "string",
  "tags": {},
  "properties": {
    "tenantId": "string",
    "sku": {
      "family": "A",
      "name": "string"
    },
    "accessPolicies": [
      {
        "tenantId": "string",
        "objectId": "string",
        "applicationId": "string",
        "permissions": {
          "keys": [
            "string"
          ],
          "secrets": [
            "string"
          ],
          "certificates": [
            "string"
          ],
          "storage": [
            "string"
          ]
        }
      }
    ],
    "vaultUri": "string",
    "enabledForDeployment": "boolean",
    "enabledForDiskEncryption": "boolean",
    "enabledForTemplateDeployment": "boolean",
    "enableSoftDelete": "boolean",
    "softDeleteRetentionInDays": "integer",
    "enableRbacAuthorization": "boolean",
    "createMode": "string",
    "enablePurgeProtection": "boolean",
    "networkAcls": {
      "bypass": "string",
      "defaultAction": "string",
      "ipRules": [
        {
          "value": "string"
        }
      ],
      "virtualNetworkRules": [
        {
          "id": "string"
        }
      ]
    }
  },
  "resources": []
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.KeyVault/vaults object

Name	Type	Required	Value
name	string	Yes	Name of the vault
type	enum	Yes	Microsoft.KeyVault/vaults
apiVersion	enum	Yes	2019-09-01
location	string	Yes	The supported Azure location where the key vault should be created.
tags	object	No	The tags that will be assigned to the key vault.
properties	object	Yes	Properties of the vault - VaultProperties object
resources	array	No	privateEndpointConnections accessPolicies

VaultProperties object

Name	Type	Required	Value
tenantId	string	Yes	The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. - globally unique identifier
sku	object	Yes	SKU details - Sku object
accessPolicies	array	No	An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When `createMode` is set to `recover`, access policies are not required. Otherwise, access policies are required. - AccessPolicyEntry object
vaultUri	string	No	The URI of the vault for performing operations on keys and secrets. This property is readonly.
enabledForDeployment	boolean	No	Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
enabledForDiskEncryption	boolean	No	Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
enabledForTemplateDeployment	boolean	No	Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
enableSoftDelete	boolean	No	Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false.
softDeleteRetentionInDays	integer	No	softDelete data retention days. It accepts >=7 and <=90.
enableRbacAuthorization	boolean	No	Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.
createMode	enum	No	The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default
enablePurgeProtection	boolean	No	Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value.
networkAcls	object	No	Rules governing the accessibility of the key vault from specific network locations. - NetworkRuleSet object

Sku object

Name	Type	Required	Value
family	enum	Yes	SKU family name - A
name	enum	Yes	SKU name to specify whether the key vault is a standard vault or a premium vault. - standard or premium

AccessPolicyEntry object

Name	Type	Required	Value
tenantId	string	Yes	The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. - globally unique identifier
objectId	string	Yes	The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
applicationId	string	No	Application ID of the client making request on behalf of a principal - globally unique identifier
permissions	object	Yes	Permissions the identity has for keys, secrets and certificates. - Permissions object

NetworkRuleSet object

Name	Type	Required	Value
bypass	enum	No	Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. - AzureServices or None
defaultAction	enum	No	The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. - Allow or Deny
ipRules	array	No	The list of IP address rules. - IPRule object
virtualNetworkRules	array	No	The list of virtual network rules. - VirtualNetworkRule object

Permissions object

Name	Type	Required	Value
keys	array	No	Permissions to keys - all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, purge
secrets	array	No	Permissions to secrets - all, get, list, set, delete, backup, restore, recover, purge
certificates	array	No	Permissions to certificates - all, get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge, backup, restore
storage	array	No	Permissions to storage accounts - all, get, list, delete, set, update, regeneratekey, recover, purge, backup, restore, setsas, listsas, getsas, deletesas

IPRule object

Name	Type	Required	Value
value	string	Yes	An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78).

VirtualNetworkRule object

Name	Type	Required	Value
id	string	Yes	Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'.

Quickstart templates

The following quickstart templates deploy this resource type.

Template	Description
Create an API Management service with SSL from KeyVault	This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Create an Application Gateway V2 with Key Vault	This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway.
Create an Azure Key Vault and a secret	This template creates an Azure Key Vault and a secret.
Create an Azure Machine Learning service workspace.	This template creates an Azure Machine Learning service workspace.
Create AML workspace with multiple Datasets & Datastores	This template creates Azure Machine Learning workspace with multiple datasets & datastores.
Connect to a Key Vault via private endpoint	This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Create a Key Vault and a list of secrets	This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create Key Vault with logging enabled	This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources.
Advanced template for Azure Machine Learning workspace	A template that creates Azure Machine Learning workspace with private endpoints and resources behind VNET
Create an AKS compute target with a Private IP address.	This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Continuous Deployment to VM Scale Sets with Jenkins and Spinnaker	This template allows you to deploy and configure a DevOps pipeline from an Aptly repository to a VM Scale Set in Azure.
Continuous Deployment to VM Scale Sets using Spinnaker	This template allows you to install Spinnaker on VM or AKS. Specifically, as for the VM scenario you can deploy and configure a DevOps pipeline from an Aptly repository to a VM Scale Set in Azure.
Azure Machine Learning Workspace	This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging
Create a KeyVault	This module allows you to create a KeyVault.
SAS 9.4 and Viya Quickstart Template for Azure	The SAS® 9.4 and Viya QuickStart Template for Azure deploy these products on the cloud: SAS® Enterprise BI Server 9.4, SAS® Enterprise Miner 15.1, and SAS® Visual Analytics 8.5 on Linux, and SAS® Visual Data Mining and Machine Learning 8.5 on Linux for Viya. This QuickStart is a reference architecture for users who wants to deploy the combination of SAS® 9.4 and Viya on Azure using cloud-friendly technologies. By deploying the SAS® platform on Azure, you get an integrated environment of SAS® 9.4 and Viya environments so you can take advantage of both worlds. SAS® Viya is a cloud-enabled, in-memory analytics engine. It uses elastic, scalable, and fault-tolerant processing to address complex analytical challenges. SAS® Viya provides faster processing for analytics by using a standardized code base that supports programming in SAS®, Python, R, Java, and Lua. It also supports cloud, on-premises, or hybrid environments and deploys seamlessly to any infrastructure or application ecosystem.