Microsoft.KeyVault vaults/secrets 2019-09-01
Bicep resource definition
The vaults/secrets resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Remarks
For guidance on using key vaults for secure values, see Manage secrets by using Bicep.
For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.
For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.
Resource format
To create a Microsoft.KeyVault/vaults/secrets resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
name: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
parent: resourceSymbolicName
properties: {
attributes: {
enabled: bool
exp: int
nbf: int
}
contentType: 'string'
value: 'string'
}
}
Property values
vaults/secrets
| Name | Description | Value |
|---|---|---|
| name | The resource name See how to set names and types for child resources in Bicep. |
string (required) Character limit: 1-127 Valid characters: Alphanumerics and hyphens. |
| tags | The tags that will be assigned to the secret. | Dictionary of tag names and values. See Tags in templates |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: vaults |
| properties | Properties of the secret | SecretProperties (required) |
SecretProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the secret. | SecretAttributes |
| contentType | The content type of the secret. | string |
| value | The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. | string |
SecretAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Create an API Management service with SSL from KeyVault |
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours. |
| creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
| creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP |
| creates an Azure Stack HCI 23H2 cluster in Switchless-Dual-link Networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
| creates an Azure Stack HCI 23H2 cluster in Switchless-SingleLink networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
| Create an Azure Key Vault and a secret |
This template creates an Azure Key Vault and a secret. |
| Create an Azure Key Vault with RBAC and a secret |
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets |
| Connect to a Key Vault via private endpoint |
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint. |
| Create a Key Vault and a list of secrets |
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters |
| Create Azure Maps SAS token stored in an Azure Key Vault |
This template deploys and Azure Maps account and lists a Sas token based on the provided User Assigned identity to be stored in an Azure Key Vault secret. |
| Create an Application Gateway V2 with Key Vault |
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway. |
| Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
| Create ssh-keys and store in KeyVault |
This template uses the deploymentScript resource to generate ssh keys and stores the private key in keyVault. |
| Azure Function app and an HTTP-triggered function |
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key. |
| Application Gateway with internal API Management and Web App |
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App. |
ARM template resource definition
The vaults/secrets resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Remarks
For guidance on using key vaults for secure values, see Manage secrets by using Bicep.
For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.
For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.
Resource format
To create a Microsoft.KeyVault/vaults/secrets resource, add the following JSON to your template.
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2019-09-01",
"name": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"properties": {
"attributes": {
"enabled": "bool",
"exp": "int",
"nbf": "int"
},
"contentType": "string",
"value": "string"
}
}
Property values
vaults/secrets
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.KeyVault/vaults/secrets' |
| apiVersion | The resource api version | '2019-09-01' |
| name | The resource name See how to set names and types for child resources in JSON ARM templates. |
string (required) Character limit: 1-127 Valid characters: Alphanumerics and hyphens. |
| tags | The tags that will be assigned to the secret. | Dictionary of tag names and values. See Tags in templates |
| properties | Properties of the secret | SecretProperties (required) |
SecretProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the secret. | SecretAttributes |
| contentType | The content type of the secret. | string |
| value | The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. | string |
SecretAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| Create an API Management service with SSL from KeyVault |
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours. |
| creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
| creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP |
| creates an Azure Stack HCI 23H2 cluster in Switchless-Dual-link Networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
| creates an Azure Stack HCI 23H2 cluster in Switchless-SingleLink networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
| Create an Azure Key Vault and a secret |
This template creates an Azure Key Vault and a secret. |
| Create an Azure Key Vault with RBAC and a secret |
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets |
| Connect to a Key Vault via private endpoint |
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint. |
| Create a Key Vault and a list of secrets |
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters |
| Create Azure Maps SAS token stored in an Azure Key Vault |
This template deploys and Azure Maps account and lists a Sas token based on the provided User Assigned identity to be stored in an Azure Key Vault secret. |
| Create an Application Gateway V2 with Key Vault |
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway. |
| Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
| Create ssh-keys and store in KeyVault |
This template uses the deploymentScript resource to generate ssh keys and stores the private key in keyVault. |
| Azure Function app and an HTTP-triggered function |
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key. |
| Application Gateway with internal API Management and Web App |
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App. |
Terraform (AzAPI provider) resource definition
The vaults/secrets resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/secrets resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KeyVault/vaults/secrets@2019-09-01"
name = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
body = jsonencode({
properties = {
attributes = {
enabled = bool
exp = int
nbf = int
}
contentType = "string"
value = "string"
}
})
}
Property values
vaults/secrets
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.KeyVault/vaults/secrets@2019-09-01" |
| name | The resource name | string (required) Character limit: 1-127 Valid characters: Alphanumerics and hyphens. |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: vaults |
| tags | The tags that will be assigned to the secret. | Dictionary of tag names and values. |
| properties | Properties of the secret | SecretProperties (required) |
SecretProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the secret. | SecretAttributes |
| contentType | The content type of the secret. | string |
| value | The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. | string |
SecretAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |