Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Key Vault is a cloud service that provides a secure store for secrets, such as keys, passwords, and certificates. This quickstart focuses on the process of deploying a Bicep file to create a key vault and a self-signed certificate.
Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.
Prerequisites
- If you don't have an Azure subscription, create a free account before you begin.
Review the Bicep file
The template used in this quickstart is from Azure Quickstart Templates.
@description('The name of the key vault to be created.')
param vaultName string
@description('The name of the certificate to be created.')
param certificateName string
@description('The location of the resources.')
param location string = resourceGroup().location
@description('The SKU of the vault to be created.')
@allowed([
'standard'
'premium'
])
param skuName string = 'standard'
@description('The common name (subject) for the self-signed certificate. Defaults to the certificate name.')
param certificateCommonName string = certificateName
@description('The validity of the certificate in months.')
@minValue(1)
@maxValue(1200)
param validityInMonths int = 12
resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: vaultName
location: location
properties: {
enableRbacAuthorization: true
enableSoftDelete: true
softDeleteRetentionInDays: 90
enablePurgeProtection: true
enabledForDeployment: false
enabledForDiskEncryption: false
enabledForTemplateDeployment: false
tenantId: subscription().tenantId
sku: {
name: skuName
family: 'A'
}
networkAcls: {
defaultAction: 'Allow'
bypass: 'AzureServices'
}
}
}
// Key Vault certificates are a data-plane concept and cannot be created
// directly through ARM. Use the public Bicep registry module which wraps
// `az keyvault certificate create` in a deployment script (it provisions a
// user-assigned managed identity with the Key Vault Certificate Officer
// role on the vault for the duration of the deployment).
module certificate 'br/public:deployment-scripts/create-kv-certificate:3.4.2' = {
name: 'create-${certificateName}'
params: {
akvName: vault.name
location: location
certificateNames: [certificateName]
certificateCommonNames: [certificateCommonName]
validity: validityInMonths
}
}
output location string = location
output name string = vault.name
output resourceGroupName string = resourceGroup().name
output resourceId string = vault.id
output certificateSecretId string = certificate.outputs.certificateSecretIds[0][0]
output certificateThumbprint string = certificate.outputs.certificateThumbprintHexs[0][0]
Two Azure resources are defined in the Bicep file:
- Microsoft.KeyVault/vaults: create an Azure key vault with Azure RBAC authorization enabled (
enableRbacAuthorization: true). - Microsoft.Resources/deployments: nested deployment that runs the create-kv-certificate registry module to create a self-signed certificate in the vault. Certificates are a data-plane resource and can't be created directly with an ARM resource type.
Deploy the Bicep file
Save the Bicep file as main.bicep to your local computer.
Deploy the Bicep file by using either the Azure CLI or Azure PowerShell.
az group create --name myResourceGroup --location eastus az deployment group create --resource-group myResourceGroup --template-file main.bicep --parameters vaultName=<vault-name> certificateName=myCertNote
Replace
<vault-name>with the name of the key vault, which must be globally unique within thevault.azure.netnamespace.When the deployment finishes, you should see a message indicating the deployment succeeded.
Assign a Key Vault RBAC role
The key vault created by this Bicep file uses Azure RBAC for authorization. To access certificates through the data plane (for example, by using the Azure CLI or Azure PowerShell), you need to assign yourself an appropriate role.
echo "Enter your key vault name:" &&
read keyVaultName &&
az role assignment create --role "Key Vault Certificates Officer" \
--assignee-object-id $(az ad signed-in-user show --query id -o tsv) \
--scope $(az keyvault show --name $keyVaultName --query id -o tsv)
Note
Role assignments might take a minute or two to propagate.
Review deployed resources
You can either use the Azure portal to check the key vault and the certificate, or use the following Azure CLI or Azure PowerShell script to list the certificate created.
echo "Enter your key vault name:" &&
read keyVaultName &&
az keyvault certificate list --vault-name $keyVaultName &&
echo "Press [ENTER] to continue ..."
Clean up resources
When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.
az group delete --name myResourceGroup
Note
Deleting the resource group also deletes the key vault, but the vault then enters a soft-deleted state and remains recoverable for the retention period (90 days by default). The vault name remains reserved globally during that period, and because purge protection is enabled, the vault can't be purged early. For standard key vaults, soft-deleted vaults don't incur charges. For more information, see Key Vault soft-delete overview.
Next steps
In this quickstart, you created a key vault and a certificate using Bicep and then validated the deployment. To learn more about Key Vault and Bicep, continue on to the articles below.
- Read an Overview of Azure Key Vault
- Learn more about Bicep
- Review the Key Vault security overview