Microsoft.KeyVault vaults 2023-02-01
The vaults resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
For guidance on using key vaults for secure values, see Manage secrets by using Bicep.
For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.
For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.
To create a Microsoft.KeyVault/vaults resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
properties: {
accessPolicies: [
{
applicationId: 'string'
objectId: 'string'
permissions: {
certificates: [
'string'
]
keys: [
'string'
]
secrets: [
'string'
]
storage: [
'string'
]
}
tenantId: 'string'
}
]
createMode: 'string'
enabledForDeployment: bool
enabledForDiskEncryption: bool
enabledForTemplateDeployment: bool
enablePurgeProtection: bool
enableRbacAuthorization: bool
enableSoftDelete: bool
networkAcls: {
bypass: 'string'
defaultAction: 'string'
ipRules: [
{
value: 'string'
}
]
virtualNetworkRules: [
{
id: 'string'
ignoreMissingVnetServiceEndpoint: bool
}
]
}
provisioningState: 'string'
publicNetworkAccess: 'string'
sku: {
family: 'A'
name: 'string'
}
softDeleteRetentionInDays: int
tenantId: 'string'
vaultUri: 'string'
}
}
Name | Description | Value |
---|---|---|
name | The resource name | string (required) Character limit: 3-24 Valid characters: Alphanumerics and hyphens. Start with letter. End with letter or digit. Can't contain consecutive hyphens. Resource name must be unique across Azure. |
location | The supported Azure location where the key vault should be created. | string (required) |
tags | The tags that will be assigned to the key vault. | Dictionary of tag names and values. See Tags in templates |
properties | Properties of the vault | VaultProperties (required) |
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover , access policies are not required. Otherwise, access policies are required. |
AccessPolicyEntry[] |
createMode | The vault's create mode to indicate whether the vault need to be recovered or not. | 'default' 'recover' |
enabledForDeployment | Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool |
enabledForDiskEncryption | Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
enabledForTemplateDeployment | Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool |
enablePurgeProtection | Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. | bool |
enableRbacAuthorization | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | bool |
enableSoftDelete | Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. | bool |
networkAcls | Rules governing the accessibility of the key vault from specific network locations. | NetworkRuleSet |
provisioningState | Provisioning state of the vault. | 'RegisteringDns' 'Succeeded' |
publicNetworkAccess | Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. | string |
sku | SKU details | Sku (required) |
softDeleteRetentionInDays | softDelete data retention days. It accepts >=7 and <=90. | int |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
vaultUri | The URI of the vault for performing operations on keys and secrets. | string |
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: 'all' 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
keys | Permissions to keys | String array containing any of: 'all' 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'getrotationpolicy' 'import' 'list' 'purge' 'recover' 'release' 'restore' 'rotate' 'setrotationpolicy' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
secrets | Permissions to secrets | String array containing any of: 'all' 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
storage | Permissions to storage accounts | String array containing any of: 'all' 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
Name | Description | Value |
---|---|---|
bypass | Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. | 'AzureServices' 'None' |
defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | 'Allow' 'Deny' |
ipRules | The list of IP address rules. | IPRule[] |
virtualNetworkRules | The list of virtual network rules. | VirtualNetworkRule[] |
Name | Description | Value |
---|---|---|
value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). | string (required) |
Name | Description | Value |
---|---|---|
id | Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. | string (required) |
ignoreMissingVnetServiceEndpoint | Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. | bool |
Name | Description | Value |
---|---|---|
family | SKU family name | 'A' (required) |
name | SKU name to specify whether the key vault is a standard vault or a premium vault. | 'premium' 'standard' (required) |
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
Create a Private AKS Cluster with a Public DNS Zone |
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. |
Deploy the Sports Analytics on Azure Architecture |
Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. |
Azure Machine Learning Workspace |
This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging |
Create a KeyVault |
This module creates a KeyVault resource with apiVersion 2019-09-01. |
Create an API Management service with SSL from KeyVault |
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours. |
Creates a Dapr pub-sub servicebus app using Container Apps |
Create a Dapr pub-sub servicebus app using Container Apps. |
creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP |
creates an Azure Stack HCI 23H2 cluster in Switchless-Dual-link Networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
creates an Azure Stack HCI 23H2 cluster in Switchless-SingleLink networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
Create a new encrypted windows vm from gallery image |
This template creates a new encrypted windows vm using the server 2k12 gallery image. |
Create new encrypted managed disks win-vm from gallery image |
This template creates a new encrypted managed disks windows vm using the server 2k12 gallery image. |
This template encrypts a running Windows VMSS |
This template enables encryption on a running Windows VM Scale Set |
Enable encryption on a running Windows VM |
This template enables encryption on a running windows vm. |
Create and encrypt a new Windows VMSS with jumpbox |
This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of serveral Windows versions. This template also deploys a jumpbox with a public IP address in the same virtual network. You can connect to the jumpbox via this public IP address, then connect from there to VMs in the scale set via private IP addresses.This template enables encryption on the VM Scale Set of Windows VMs. |
Create an Azure Key Vault and a secret |
This template creates an Azure Key Vault and a secret. |
Create an Azure Key Vault with RBAC and a secret |
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets |
Create key vault, managed identity, and role assignment |
This template creates a key vault, managed identity, and role assignment. |
Connect to a Key Vault via private endpoint |
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint. |
Create a Key Vault and a list of secrets |
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters |
Create Key Vault with logging enabled |
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources. |
Azure AI Studio basic setup |
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio basic setup |
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio with Microsoft Entra ID Authentication |
This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage. |
Create AML workspace with multiple Datasets & Datastores |
This template creates Azure Machine Learning workspace with multiple datasets & datastores. |
Azure Machine Learning end-to-end secure setup |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning end-to-end secure setup (legacy) |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Create an AKS compute target with a Private IP address |
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address. |
Create an Azure Machine Learning service workspace |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. |
Create an Azure Machine Learning service workspace (CMK) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key. |
Create an Azure Machine Learning service workspace (CMK) |
This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys. |
Create an Azure Machine Learning service workspace (vnet) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
Create an Azure Machine Learning service workspace (legacy) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Create an Application Gateway V2 with Key Vault |
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway. |
Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Creates a Cross-tenant Private Endpoint resource |
This template allows you to create Priavate Endpoint resource within the same or cross-tenant environment and add dns zone configuration. |
Create Application Gateway with Certificates |
This template shows how to generate Key Vault self-signed certificates, then reference from Application Gateway. |
Azure Storage Account Encryption with customer-managed key |
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault. |
App Service Environment with Azure SQL backend |
This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment. |
Azure Function app and an HTTP-triggered function |
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key. |
Application Gateway with internal API Management and Web App |
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App. |
The vaults resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
For guidance on using key vaults for secure values, see Manage secrets by using Bicep.
For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.
For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.
To create a Microsoft.KeyVault/vaults resource, add the following JSON to your template.
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2023-02-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"properties": {
"accessPolicies": [
{
"applicationId": "string",
"objectId": "string",
"permissions": {
"certificates": [ "string" ],
"keys": [ "string" ],
"secrets": [ "string" ],
"storage": [ "string" ]
},
"tenantId": "string"
}
],
"createMode": "string",
"enabledForDeployment": "bool",
"enabledForDiskEncryption": "bool",
"enabledForTemplateDeployment": "bool",
"enablePurgeProtection": "bool",
"enableRbacAuthorization": "bool",
"enableSoftDelete": "bool",
"networkAcls": {
"bypass": "string",
"defaultAction": "string",
"ipRules": [
{
"value": "string"
}
],
"virtualNetworkRules": [
{
"id": "string",
"ignoreMissingVnetServiceEndpoint": "bool"
}
]
},
"provisioningState": "string",
"publicNetworkAccess": "string",
"sku": {
"family": "A",
"name": "string"
},
"softDeleteRetentionInDays": "int",
"tenantId": "string",
"vaultUri": "string"
}
}
Name | Description | Value |
---|---|---|
type | The resource type | 'Microsoft.KeyVault/vaults' |
apiVersion | The resource api version | '2023-02-01' |
name | The resource name | string (required) Character limit: 3-24 Valid characters: Alphanumerics and hyphens. Start with letter. End with letter or digit. Can't contain consecutive hyphens. Resource name must be unique across Azure. |
location | The supported Azure location where the key vault should be created. | string (required) |
tags | The tags that will be assigned to the key vault. | Dictionary of tag names and values. See Tags in templates |
properties | Properties of the vault | VaultProperties (required) |
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover , access policies are not required. Otherwise, access policies are required. |
AccessPolicyEntry[] |
createMode | The vault's create mode to indicate whether the vault need to be recovered or not. | 'default' 'recover' |
enabledForDeployment | Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool |
enabledForDiskEncryption | Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
enabledForTemplateDeployment | Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool |
enablePurgeProtection | Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. | bool |
enableRbacAuthorization | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | bool |
enableSoftDelete | Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. | bool |
networkAcls | Rules governing the accessibility of the key vault from specific network locations. | NetworkRuleSet |
provisioningState | Provisioning state of the vault. | 'RegisteringDns' 'Succeeded' |
publicNetworkAccess | Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. | string |
sku | SKU details | Sku (required) |
softDeleteRetentionInDays | softDelete data retention days. It accepts >=7 and <=90. | int |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
vaultUri | The URI of the vault for performing operations on keys and secrets. | string |
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: 'all' 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
keys | Permissions to keys | String array containing any of: 'all' 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'getrotationpolicy' 'import' 'list' 'purge' 'recover' 'release' 'restore' 'rotate' 'setrotationpolicy' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
secrets | Permissions to secrets | String array containing any of: 'all' 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
storage | Permissions to storage accounts | String array containing any of: 'all' 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
Name | Description | Value |
---|---|---|
bypass | Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. | 'AzureServices' 'None' |
defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | 'Allow' 'Deny' |
ipRules | The list of IP address rules. | IPRule[] |
virtualNetworkRules | The list of virtual network rules. | VirtualNetworkRule[] |
Name | Description | Value |
---|---|---|
value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). | string (required) |
Name | Description | Value |
---|---|---|
id | Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. | string (required) |
ignoreMissingVnetServiceEndpoint | Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. | bool |
Name | Description | Value |
---|---|---|
family | SKU family name | 'A' (required) |
name | SKU name to specify whether the key vault is a standard vault or a premium vault. | 'premium' 'standard' (required) |
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
Create a Private AKS Cluster with a Public DNS Zone |
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. |
Deploy the Sports Analytics on Azure Architecture |
Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. |
Azure Machine Learning Workspace |
This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging |
Create a KeyVault |
This module creates a KeyVault resource with apiVersion 2019-09-01. |
Create an API Management service with SSL from KeyVault |
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours. |
Creates a Dapr pub-sub servicebus app using Container Apps |
Create a Dapr pub-sub servicebus app using Container Apps. |
creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP |
creates an Azure Stack HCI 23H2 cluster in Switchless-Dual-link Networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
creates an Azure Stack HCI 23H2 cluster in Switchless-SingleLink networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
Create a new encrypted windows vm from gallery image |
This template creates a new encrypted windows vm using the server 2k12 gallery image. |
Create new encrypted managed disks win-vm from gallery image |
This template creates a new encrypted managed disks windows vm using the server 2k12 gallery image. |
This template encrypts a running Windows VMSS |
This template enables encryption on a running Windows VM Scale Set |
Enable encryption on a running Windows VM |
This template enables encryption on a running windows vm. |
Create and encrypt a new Windows VMSS with jumpbox |
This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of serveral Windows versions. This template also deploys a jumpbox with a public IP address in the same virtual network. You can connect to the jumpbox via this public IP address, then connect from there to VMs in the scale set via private IP addresses.This template enables encryption on the VM Scale Set of Windows VMs. |
Create an Azure Key Vault and a secret |
This template creates an Azure Key Vault and a secret. |
Create an Azure Key Vault with RBAC and a secret |
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets |
Create key vault, managed identity, and role assignment |
This template creates a key vault, managed identity, and role assignment. |
Connect to a Key Vault via private endpoint |
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint. |
Create a Key Vault and a list of secrets |
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters |
Create Key Vault with logging enabled |
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources. |
Azure AI Studio basic setup |
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio basic setup |
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio with Microsoft Entra ID Authentication |
This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage. |
Create AML workspace with multiple Datasets & Datastores |
This template creates Azure Machine Learning workspace with multiple datasets & datastores. |
Azure Machine Learning end-to-end secure setup |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning end-to-end secure setup (legacy) |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Create an AKS compute target with a Private IP address |
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address. |
Create an Azure Machine Learning service workspace |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. |
Create an Azure Machine Learning service workspace (CMK) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key. |
Create an Azure Machine Learning service workspace (CMK) |
This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys. |
Create an Azure Machine Learning service workspace (vnet) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
Create an Azure Machine Learning service workspace (legacy) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Create an Application Gateway V2 with Key Vault |
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway. |
Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Creates a Cross-tenant Private Endpoint resource |
This template allows you to create Priavate Endpoint resource within the same or cross-tenant environment and add dns zone configuration. |
Create Application Gateway with Certificates |
This template shows how to generate Key Vault self-signed certificates, then reference from Application Gateway. |
Azure Storage Account Encryption with customer-managed key |
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault. |
App Service Environment with Azure SQL backend |
This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment. |
Azure Function app and an HTTP-triggered function |
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key. |
Application Gateway with internal API Management and Web App |
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App. |
The vaults resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
To create a Microsoft.KeyVault/vaults resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KeyVault/vaults@2023-02-01"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
body = jsonencode({
properties = {
accessPolicies = [
{
applicationId = "string"
objectId = "string"
permissions = {
certificates = [
"string"
]
keys = [
"string"
]
secrets = [
"string"
]
storage = [
"string"
]
}
tenantId = "string"
}
]
createMode = "string"
enabledForDeployment = bool
enabledForDiskEncryption = bool
enabledForTemplateDeployment = bool
enablePurgeProtection = bool
enableRbacAuthorization = bool
enableSoftDelete = bool
networkAcls = {
bypass = "string"
defaultAction = "string"
ipRules = [
{
value = "string"
}
]
virtualNetworkRules = [
{
id = "string"
ignoreMissingVnetServiceEndpoint = bool
}
]
}
provisioningState = "string"
publicNetworkAccess = "string"
sku = {
family = "A"
name = "string"
}
softDeleteRetentionInDays = int
tenantId = "string"
vaultUri = "string"
}
})
}
Name | Description | Value |
---|---|---|
type | The resource type | "Microsoft.KeyVault/vaults@2023-02-01" |
name | The resource name | string (required) Character limit: 3-24 Valid characters: Alphanumerics and hyphens. Start with letter. End with letter or digit. Can't contain consecutive hyphens. Resource name must be unique across Azure. |
location | The supported Azure location where the key vault should be created. | string (required) |
parent_id | To deploy to a resource group, use the ID of that resource group. | string (required) |
tags | The tags that will be assigned to the key vault. | Dictionary of tag names and values. |
properties | Properties of the vault | VaultProperties (required) |
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover , access policies are not required. Otherwise, access policies are required. |
AccessPolicyEntry[] |
createMode | The vault's create mode to indicate whether the vault need to be recovered or not. | "default" "recover" |
enabledForDeployment | Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool |
enabledForDiskEncryption | Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
enabledForTemplateDeployment | Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool |
enablePurgeProtection | Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. | bool |
enableRbacAuthorization | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | bool |
enableSoftDelete | Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. | bool |
networkAcls | Rules governing the accessibility of the key vault from specific network locations. | NetworkRuleSet |
provisioningState | Provisioning state of the vault. | "RegisteringDns" "Succeeded" |
publicNetworkAccess | Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. | string |
sku | SKU details | Sku (required) |
softDeleteRetentionInDays | softDelete data retention days. It accepts >=7 and <=90. | int |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
vaultUri | The URI of the vault for performing operations on keys and secrets. | string |
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: "all" "backup" "create" "delete" "deleteissuers" "get" "getissuers" "import" "list" "listissuers" "managecontacts" "manageissuers" "purge" "recover" "restore" "setissuers" "update" |
keys | Permissions to keys | String array containing any of: "all" "backup" "create" "decrypt" "delete" "encrypt" "get" "getrotationpolicy" "import" "list" "purge" "recover" "release" "restore" "rotate" "setrotationpolicy" "sign" "unwrapKey" "update" "verify" "wrapKey" |
secrets | Permissions to secrets | String array containing any of: "all" "backup" "delete" "get" "list" "purge" "recover" "restore" "set" |
storage | Permissions to storage accounts | String array containing any of: "all" "backup" "delete" "deletesas" "get" "getsas" "list" "listsas" "purge" "recover" "regeneratekey" "restore" "set" "setsas" "update" |
Name | Description | Value |
---|---|---|
bypass | Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. | "AzureServices" "None" |
defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | "Allow" "Deny" |
ipRules | The list of IP address rules. | IPRule[] |
virtualNetworkRules | The list of virtual network rules. | VirtualNetworkRule[] |
Name | Description | Value |
---|---|---|
value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). | string (required) |
Name | Description | Value |
---|---|---|
id | Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. | string (required) |
ignoreMissingVnetServiceEndpoint | Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. | bool |
Name | Description | Value |
---|---|---|
family | SKU family name | "A" (required) |
name | SKU name to specify whether the key vault is a standard vault or a premium vault. | "premium" "standard" (required) |