Microsoft.KeyVault managedHSMs/keys 2022-11-01

Bicep resource definition

The managedHSMs/keys resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/managedHSMs/keys resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.KeyVault/managedHSMs/keys@2022-11-01' = {
  name: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  parent: resourceSymbolicName
  properties: {
    attributes: {
      enabled: bool
      exp: int
      exportable: bool
      nbf: int
    }
    curveName: 'string'
    keyOps: [
      'string'
    ]
    keySize: int
    kty: 'string'
    release_policy: {
      contentType: 'string'
      data: 'string'
    }
    rotationPolicy: {
      attributes: {
        expiryTime: 'string'
      }
      lifetimeActions: [
        {
          action: {
            type: 'string'
          }
          trigger: {
            timeAfterCreate: 'string'
            timeBeforeExpiry: 'string'
          }
        }
      ]
    }
  }
}

Property values

managedHSMs/keys

Name Description Value
name The resource name

See how to set names and types for child resources in Bicep.
string (required)
tags The tags that will be assigned to the key. Dictionary of tag names and values. See Tags in templates
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
Symbolic name for resource of type: managedHSMs
properties The properties of the key to be created. ManagedHsmKeyProperties (required)

ManagedHsmKeyProperties

Name Description Value
attributes The attributes of the key. ManagedHsmKeyAttributes
curveName The elliptic curve name. For valid values, see JsonWebKeyCurveName. 'P-256'
'P-256K'
'P-384'
'P-521'
keyOps String array containing any of:
'decrypt'
'encrypt'
'import'
'release'
'sign'
'unwrapKey'
'verify'
'wrapKey'
keySize The key size in bits. For example: 2048, 3072, or 4096 for RSA. int
kty The type of the key. For valid values, see JsonWebKeyType. 'EC'
'EC-HSM'
'RSA'
'RSA-HSM'
release_policy Key release policy in response. It will be used for both output and input. Omitted if empty ManagedHsmKeyReleasePolicy
rotationPolicy Key rotation policy in response. It will be used for both output and input. Omitted if empty ManagedHsmRotationPolicy

ManagedHsmKeyAttributes

Name Description Value
enabled Determines whether or not the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
exportable Indicates if the private key can be exported. bool
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int

ManagedHsmKeyReleasePolicy

Name Description Value
contentType Content type and version of key release policy string
data Blob encoding the policy rules under which the key can be released. string

ManagedHsmRotationPolicy

Name Description Value
attributes The attributes of key rotation policy. ManagedHsmKeyRotationPolicyAttributes
lifetimeActions The lifetimeActions for key rotation action. ManagedHsmLifetimeAction[]

ManagedHsmKeyRotationPolicyAttributes

Name Description Value
expiryTime The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string

ManagedHsmLifetimeAction

Name Description Value
action The action of key rotation policy lifetimeAction. ManagedHsmAction
trigger The trigger of key rotation policy lifetimeAction. ManagedHsmTrigger

ManagedHsmAction

Name Description Value
type The type of the action. The value should be compared case-insensitively. 'Notify'
'Rotate'

ManagedHsmTrigger

Name Description Value
timeAfterCreate The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. string
timeBeforeExpiry The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. string

ARM template resource definition

The managedHSMs/keys resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/managedHSMs/keys resource, add the following JSON to your template.

{
  "type": "Microsoft.KeyVault/managedHSMs/keys",
  "apiVersion": "2022-11-01",
  "name": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "properties": {
    "attributes": {
      "enabled": "bool",
      "exp": "int",
      "exportable": "bool",
      "nbf": "int"
    },
    "curveName": "string",
    "keyOps": [ "string" ],
    "keySize": "int",
    "kty": "string",
    "release_policy": {
      "contentType": "string",
      "data": "string"
    },
    "rotationPolicy": {
      "attributes": {
        "expiryTime": "string"
      },
      "lifetimeActions": [
        {
          "action": {
            "type": "string"
          },
          "trigger": {
            "timeAfterCreate": "string",
            "timeBeforeExpiry": "string"
          }
        }
      ]
    }
  }
}

Property values

managedHSMs/keys

Name Description Value
type The resource type 'Microsoft.KeyVault/managedHSMs/keys'
apiVersion The resource api version '2022-11-01'
name The resource name

See how to set names and types for child resources in JSON ARM templates.
string (required)
tags The tags that will be assigned to the key. Dictionary of tag names and values. See Tags in templates
properties The properties of the key to be created. ManagedHsmKeyProperties (required)

ManagedHsmKeyProperties

Name Description Value
attributes The attributes of the key. ManagedHsmKeyAttributes
curveName The elliptic curve name. For valid values, see JsonWebKeyCurveName. 'P-256'
'P-256K'
'P-384'
'P-521'
keyOps String array containing any of:
'decrypt'
'encrypt'
'import'
'release'
'sign'
'unwrapKey'
'verify'
'wrapKey'
keySize The key size in bits. For example: 2048, 3072, or 4096 for RSA. int
kty The type of the key. For valid values, see JsonWebKeyType. 'EC'
'EC-HSM'
'RSA'
'RSA-HSM'
release_policy Key release policy in response. It will be used for both output and input. Omitted if empty ManagedHsmKeyReleasePolicy
rotationPolicy Key rotation policy in response. It will be used for both output and input. Omitted if empty ManagedHsmRotationPolicy

ManagedHsmKeyAttributes

Name Description Value
enabled Determines whether or not the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
exportable Indicates if the private key can be exported. bool
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int

ManagedHsmKeyReleasePolicy

Name Description Value
contentType Content type and version of key release policy string
data Blob encoding the policy rules under which the key can be released. string

ManagedHsmRotationPolicy

Name Description Value
attributes The attributes of key rotation policy. ManagedHsmKeyRotationPolicyAttributes
lifetimeActions The lifetimeActions for key rotation action. ManagedHsmLifetimeAction[]

ManagedHsmKeyRotationPolicyAttributes

Name Description Value
expiryTime The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string

ManagedHsmLifetimeAction

Name Description Value
action The action of key rotation policy lifetimeAction. ManagedHsmAction
trigger The trigger of key rotation policy lifetimeAction. ManagedHsmTrigger

ManagedHsmAction

Name Description Value
type The type of the action. The value should be compared case-insensitively. 'Notify'
'Rotate'

ManagedHsmTrigger

Name Description Value
timeAfterCreate The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. string
timeBeforeExpiry The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. string

Terraform (AzAPI provider) resource definition

The managedHSMs/keys resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/managedHSMs/keys resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.KeyVault/managedHSMs/keys@2022-11-01"
  name = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  body = jsonencode({
    properties = {
      attributes = {
        enabled = bool
        exp = int
        exportable = bool
        nbf = int
      }
      curveName = "string"
      keyOps = [
        "string"
      ]
      keySize = int
      kty = "string"
      release_policy = {
        contentType = "string"
        data = "string"
      }
      rotationPolicy = {
        attributes = {
          expiryTime = "string"
        }
        lifetimeActions = [
          {
            action = {
              type = "string"
            }
            trigger = {
              timeAfterCreate = "string"
              timeBeforeExpiry = "string"
            }
          }
        ]
      }
    }
  })
}

Property values

managedHSMs/keys

Name Description Value
type The resource type "Microsoft.KeyVault/managedHSMs/keys@2022-11-01"
name The resource name string (required)
parent_id The ID of the resource that is the parent for this resource. ID for resource of type: managedHSMs
tags The tags that will be assigned to the key. Dictionary of tag names and values.
properties The properties of the key to be created. ManagedHsmKeyProperties (required)

ManagedHsmKeyProperties

Name Description Value
attributes The attributes of the key. ManagedHsmKeyAttributes
curveName The elliptic curve name. For valid values, see JsonWebKeyCurveName. "P-256"
"P-256K"
"P-384"
"P-521"
keyOps String array containing any of:
"decrypt"
"encrypt"
"import"
"release"
"sign"
"unwrapKey"
"verify"
"wrapKey"
keySize The key size in bits. For example: 2048, 3072, or 4096 for RSA. int
kty The type of the key. For valid values, see JsonWebKeyType. "EC"
"EC-HSM"
"RSA"
"RSA-HSM"
release_policy Key release policy in response. It will be used for both output and input. Omitted if empty ManagedHsmKeyReleasePolicy
rotationPolicy Key rotation policy in response. It will be used for both output and input. Omitted if empty ManagedHsmRotationPolicy

ManagedHsmKeyAttributes

Name Description Value
enabled Determines whether or not the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
exportable Indicates if the private key can be exported. bool
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int

ManagedHsmKeyReleasePolicy

Name Description Value
contentType Content type and version of key release policy string
data Blob encoding the policy rules under which the key can be released. string

ManagedHsmRotationPolicy

Name Description Value
attributes The attributes of key rotation policy. ManagedHsmKeyRotationPolicyAttributes
lifetimeActions The lifetimeActions for key rotation action. ManagedHsmLifetimeAction[]

ManagedHsmKeyRotationPolicyAttributes

Name Description Value
expiryTime The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. string

ManagedHsmLifetimeAction

Name Description Value
action The action of key rotation policy lifetimeAction. ManagedHsmAction
trigger The trigger of key rotation policy lifetimeAction. ManagedHsmTrigger

ManagedHsmAction

Name Description Value
type The type of the action. The value should be compared case-insensitively. "Notify"
"Rotate"

ManagedHsmTrigger

Name Description Value
timeAfterCreate The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. string
timeBeforeExpiry The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. string