Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Key Vault is a cloud service that provides a secure store for secrets, such as keys, passwords, and certificates. This quickstart focuses on the process of deploying a Bicep file to create a key vault.
Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.
Prerequisites
- If you don't have an Azure subscription, create a free account before you begin.
Review the Bicep file
The template used in this quickstart is from Azure Quickstart Templates.
@description('Specifies the name of the key vault.')
param keyVaultName string
@description('Specifies the Azure location where the key vault should be created.')
param location string = resourceGroup().location
@description('Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.')
param enabledForDeployment bool = false
@description('Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.')
param enabledForDiskEncryption bool = false
@description('Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault.')
param enabledForTemplateDeployment bool = false
@description('Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet.')
param tenantId string = subscription().tenantId
@description('Specifies whether the key vault is a standard vault or a premium vault.')
@allowed([
'standard'
'premium'
])
param skuName string = 'standard'
@description('Specifies the name of the secret that you want to create.')
param secretName string
@description('Specifies the value of the secret that you want to create.')
@secure()
param secretValue string
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: keyVaultName
location: location
properties: {
enabledForDeployment: enabledForDeployment
enabledForDiskEncryption: enabledForDiskEncryption
enabledForTemplateDeployment: enabledForTemplateDeployment
enableRbacAuthorization: true
tenantId: tenantId
enableSoftDelete: true
softDeleteRetentionInDays: 90
enablePurgeProtection: true
sku: {
name: skuName
family: 'A'
}
networkAcls: {
defaultAction: 'Allow'
bypass: 'AzureServices'
}
}
}
resource secret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
parent: kv
name: secretName
properties: {
value: secretValue
}
}
output location string = location
output name string = kv.name
output resourceGroupName string = resourceGroup().name
output resourceId string = kv.id
One Azure resource is defined in the Bicep file:
- Microsoft.KeyVault/vaults: create an Azure key vault. The template enables Azure RBAC authorization (
enableRbacAuthorization: true), soft delete, and purge protection.
Deploy the Bicep file
Save the Bicep file as main.bicep to your local computer.
Deploy the Bicep file by using either the Azure CLI or Azure PowerShell.
az group create --name myResourceGroup --location eastus az deployment group create --resource-group myResourceGroup --template-file main.bicep --parameters keyVaultName=<vault-name>Note
Replace
<vault-name>with the name of the key vault, which must be globally unique within thevault.azure.netnamespace.When the deployment finishes, you should see a message indicating the deployment succeeded.
Assign a Key Vault RBAC role
The key vault created by this Bicep file uses Azure RBAC for authorization. To create or read keys, secrets, or certificates through the data plane, you need to assign yourself an appropriate role. For example, to manage secrets, assign yourself the Key Vault Secrets Officer role:
echo "Enter your key vault name:" &&
read keyVaultName &&
az role assignment create --role "Key Vault Secrets Officer" \
--assignee-object-id $(az ad signed-in-user show --query id -o tsv) \
--scope $(az keyvault show --name $keyVaultName --query id -o tsv)
Note
For other built-in roles, see Azure built-in roles for Key Vault data plane operations. Role assignments might take a minute or two to propagate.
Review deployed resources
You can either use the Azure portal to check the key vault, or use the following Azure CLI or Azure PowerShell script:
echo "Enter your key vault name:" &&
read keyVaultName &&
az keyvault show --name $keyVaultName
Clean up resources
When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.
az group delete --name myResourceGroup
Note
Deleting the resource group also deletes the key vault, but the vault then enters a soft-deleted state and remains recoverable for the retention period (90 days by default). The vault name remains reserved globally during that period, and because purge protection is enabled, the vault can't be purged early. For standard key vaults, soft-deleted vaults don't incur charges. For more information, see Key Vault soft-delete overview.
Next steps
In this quickstart, you created a key vault using Bicep and then validated the deployment. To learn more about Key Vault and Bicep, continue on to the articles below.
- Read an Overview of Azure Key Vault.
- Learn more about Bicep.
- Review the Azure Key Vault security overview.