Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The vaults/accessPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KeyVault/vaults/accessPolicies@2018-02-14' = {
parent: resourceSymbolicName
name: 'string'
properties: {
accessPolicies: [
{
applicationId: 'string'
objectId: 'string'
permissions: {
certificates: [
'string'
]
keys: [
'string'
]
secrets: [
'string'
]
storage: [
'string'
]
}
tenantId: 'string'
}
]
}
}
Property Values
Microsoft.KeyVault/vaults/accessPolicies
| Name | Description | Value |
|---|---|---|
| name | The resource name | 'add' 'remove' 'replace' (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: vaults |
| properties | Properties of the access policy | VaultAccessPolicyProperties (required) |
AccessPolicyEntry
| Name | Description | Value |
|---|---|---|
| applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
| permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
| tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
Permissions
| Name | Description | Value |
|---|---|---|
| certificates | Permissions to certificates | String array containing any of: 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
| keys | Permissions to keys | String array containing any of: 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'import' 'list' 'purge' 'recover' 'restore' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
| secrets | Permissions to secrets | String array containing any of: 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
| storage | Permissions to storage accounts | String array containing any of: 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
VaultAccessPolicyProperties
| Name | Description | Value |
|---|---|---|
| accessPolicies | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | AccessPolicyEntry[] (required) |
Usage Examples
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Deploy an Azure Databricks Workspace with all 3 forms of CMK | This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption. |
| Deploy an Azure Databricks Workspace with Managed Disks CMK | This template allows you to create an Azure Databricks workspace with Managed Disks CMK. |
| Deploy an Azure Databricks WS with CMK for DBFS encryption | This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption |
| Deploy Azure Databricks Workspace with Managed Services CMK | This template allows you to create an Azure Databricks workspace with Managed Services CMK. |
| FinOps hub | This template creates a new FinOps hub instance, including Data Explorer, Data Lake storage, and Data Factory. |
ARM template resource definition
The vaults/accessPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following JSON to your template.
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2018-02-14",
"name": "string",
"properties": {
"accessPolicies": [
{
"applicationId": "string",
"objectId": "string",
"permissions": {
"certificates": [ "string" ],
"keys": [ "string" ],
"secrets": [ "string" ],
"storage": [ "string" ]
},
"tenantId": "string"
}
]
}
}
Property Values
Microsoft.KeyVault/vaults/accessPolicies
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2018-02-14' |
| name | The resource name | 'add' 'remove' 'replace' (required) |
| properties | Properties of the access policy | VaultAccessPolicyProperties (required) |
| type | The resource type | 'Microsoft.KeyVault/vaults/accessPolicies' |
AccessPolicyEntry
| Name | Description | Value |
|---|---|---|
| applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
| permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
| tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
Permissions
| Name | Description | Value |
|---|---|---|
| certificates | Permissions to certificates | String array containing any of: 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
| keys | Permissions to keys | String array containing any of: 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'import' 'list' 'purge' 'recover' 'restore' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
| secrets | Permissions to secrets | String array containing any of: 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
| storage | Permissions to storage accounts | String array containing any of: 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
VaultAccessPolicyProperties
| Name | Description | Value |
|---|---|---|
| accessPolicies | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | AccessPolicyEntry[] (required) |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Add KeyVault Access Policy |
Add an access policy to an existing KeyVault without removing existing policies. |
| AzureDatabricks Template with Default Storage Firewall |
This template allows you to create an Default Storage Firewall enabled Azure Databricks workspace with Privateendpoint, all three forms of CMK, and User-Assigned Access Connector. |
| Create an Azure SQL Server, with data encryption protector |
This template creates an Azure SQL server, activates the data encryption protector using a given key stored in a given Key Vault |
| Deploy an Azure Databricks Workspace with all 3 forms of CMK |
This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption. |
| Deploy an Azure Databricks Workspace with Managed Disks CMK |
This template allows you to create an Azure Databricks workspace with Managed Disks CMK. |
| Deploy an Azure Databricks Workspace with PE,CMK all forms |
This template allows you to create an Azure Databricks workspace with PrivateEndpoint and managed services and CMK with DBFS encryption. |
| Deploy an Azure Databricks WS with CMK for DBFS encryption |
This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption |
| Deploy Azure Databricks Workspace with Managed Services CMK |
This template allows you to create an Azure Databricks workspace with Managed Services CMK. |
| Deploy Data Lake Store account with encryption(Key Vault) |
This template allows you to deploy an Azure Data Lake Store account with data encryption enabled. This account uses Azure Key Vault to manage the encryption key. |
| FinOps hub |
This template creates a new FinOps hub instance, including Data Explorer, Data Lake storage, and Data Factory. |
| User assigned identity role assignment template |
A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on |
Terraform (AzAPI provider) resource definition
The vaults/accessPolicies resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KeyVault/vaults/accessPolicies@2018-02-14"
name = "string"
parent_id = "string"
body = {
properties = {
accessPolicies = [
{
applicationId = "string"
objectId = "string"
permissions = {
certificates = [
"string"
]
keys = [
"string"
]
secrets = [
"string"
]
storage = [
"string"
]
}
tenantId = "string"
}
]
}
}
}
Property Values
Microsoft.KeyVault/vaults/accessPolicies
| Name | Description | Value |
|---|---|---|
| name | The resource name | 'add' 'remove' 'replace' (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: vaults |
| properties | Properties of the access policy | VaultAccessPolicyProperties (required) |
| type | The resource type | "Microsoft.KeyVault/vaults/accessPolicies@2018-02-14" |
AccessPolicyEntry
| Name | Description | Value |
|---|---|---|
| applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
| permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
| tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
Permissions
| Name | Description | Value |
|---|---|---|
| certificates | Permissions to certificates | String array containing any of: 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
| keys | Permissions to keys | String array containing any of: 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'import' 'list' 'purge' 'recover' 'restore' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
| secrets | Permissions to secrets | String array containing any of: 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
| storage | Permissions to storage accounts | String array containing any of: 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
VaultAccessPolicyProperties
| Name | Description | Value |
|---|---|---|
| accessPolicies | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | AccessPolicyEntry[] (required) |