Microsoft.KeyVault vaults/accessPolicies 2022-11-01

• Latest
• 2023-07-01
• 2023-02-01
• 2022-11-01
• 2022-07-01
• 2022-02-01-preview
• 2021-11-01-preview
• 2021-10-01
• 2021-06-01-preview
• 2021-04-01-preview
• 2020-04-01-preview
• 2019-09-01
• 2018-02-14
• 2018-02-14-preview
• 2016-10-01

Bicep resource definition

The vaults/accessPolicies resource type can be deployed with operations that target:

• Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.KeyVault/vaults/accessPolicies@2022-11-01' = {
  name: 'string'
  parent: resourceSymbolicName
  properties: {
    accessPolicies: [
      {
        applicationId: 'string'
        objectId: 'string'
        permissions: {
          certificates: [
            'string'
          ]
          keys: [
            'string'
          ]
          secrets: [
            'string'
          ]
          storage: [
            'string'
          ]
        }
        tenantId: 'string'
      }
    ]
  }
}

Property values

vaults/accessPolicies

Name	Description	Value
name	The resource name See how to set names and types for child resources in Bicep.	string (required)
parent	In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource.	Symbolic name for resource of type: vaults
properties	Properties of the access policy	VaultAccessPolicyProperties (required)

VaultAccessPolicyProperties

Name	Description	Value
accessPolicies	An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.	AccessPolicyEntry[] (required)

AccessPolicyEntry

Name	Description	Value
applicationId	Application ID of the client making request on behalf of a principal	string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId	The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.	string (required)
permissions	Permissions the identity has for keys, secrets and certificates.	Permissions (required)
tenantId	The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.	string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

Permissions

Name	Description	Value
certificates	Permissions to certificates	String array containing any of: 'all' 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update'
keys	Permissions to keys	String array containing any of: 'all' 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'getrotationpolicy' 'import' 'list' 'purge' 'recover' 'release' 'restore' 'rotate' 'setrotationpolicy' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey'
secrets	Permissions to secrets	String array containing any of: 'all' 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set'
storage	Permissions to storage accounts	String array containing any of: 'all' 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update'

Quickstart templates

The following quickstart templates deploy this resource type.

Template	Description
Create an Azure SQL Server, with data encryption protector	This template creates an Azure SQL server, activates the data encryption protector using a given key stored in a given Key Vault
Deploy an Azure Databricks Workspace with PE,CMK all forms	This template allows you to create an Azure Databricks workspace with PrivateEndpoint and managed services and CMK with DBFS encryption.
AzureDatabricks Template with Default Storage Firewall	This template allows you to create an Default Storage Firewall enabled Azure Databricks workspace with Privateendpoint, all three forms of CMK, and User-Assigned Access Connector.
Deploy an Azure Databricks Workspace with all 3 forms of CMK	This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption.
Deploy an Azure Databricks WS with CMK for DBFS encryption	This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption
Deploy an Azure Databricks Workspace with Managed Disks CMK	This template allows you to create an Azure Databricks workspace with Managed Disks CMK.
Deploy Azure Databricks Workspace with Managed Services CMK	This template allows you to create an Azure Databricks workspace with Managed Services CMK.
Deploy Data Lake Store account with encryption(Key Vault)	This template allows you to deploy an Azure Data Lake Store account with data encryption enabled. This account uses Azure Key Vault to manage the encryption key.
Add KeyVault Access Policy	Add an access policy to an existing KeyVault without removing existing policies.
User assigned identity role assignment template	A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on

ARM template resource definition

The vaults/accessPolicies resource type can be deployed with operations that target:

• Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following JSON to your template.

{
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "apiVersion": "2022-11-01",
  "name": "string",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": "string",
        "objectId": "string",
        "permissions": {
          "certificates": [ "string" ],
          "keys": [ "string" ],
          "secrets": [ "string" ],
          "storage": [ "string" ]
        },
        "tenantId": "string"
      }
    ]
  }
}

Property values

vaults/accessPolicies

Name	Description	Value
type	The resource type	'Microsoft.KeyVault/vaults/accessPolicies'
apiVersion	The resource api version	'2022-11-01'
name	The resource name See how to set names and types for child resources in JSON ARM templates.	string (required)
properties	Properties of the access policy	VaultAccessPolicyProperties (required)

VaultAccessPolicyProperties

Name	Description	Value
accessPolicies	An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.	AccessPolicyEntry[] (required)

AccessPolicyEntry

Name	Description	Value
applicationId	Application ID of the client making request on behalf of a principal	string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId	The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.	string (required)
permissions	Permissions the identity has for keys, secrets and certificates.	Permissions (required)
tenantId	The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.	string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

Permissions

Name	Description	Value
certificates	Permissions to certificates	String array containing any of: 'all' 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update'
keys	Permissions to keys	String array containing any of: 'all' 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'getrotationpolicy' 'import' 'list' 'purge' 'recover' 'release' 'restore' 'rotate' 'setrotationpolicy' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey'
secrets	Permissions to secrets	String array containing any of: 'all' 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set'
storage	Permissions to storage accounts	String array containing any of: 'all' 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update'

Quickstart templates

The following quickstart templates deploy this resource type.

Template	Description
Create an Azure SQL Server, with data encryption protector	This template creates an Azure SQL server, activates the data encryption protector using a given key stored in a given Key Vault
Deploy an Azure Databricks Workspace with PE,CMK all forms	This template allows you to create an Azure Databricks workspace with PrivateEndpoint and managed services and CMK with DBFS encryption.
AzureDatabricks Template with Default Storage Firewall	This template allows you to create an Default Storage Firewall enabled Azure Databricks workspace with Privateendpoint, all three forms of CMK, and User-Assigned Access Connector.
Deploy an Azure Databricks Workspace with all 3 forms of CMK	This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption.
Deploy an Azure Databricks WS with CMK for DBFS encryption	This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption
Deploy an Azure Databricks Workspace with Managed Disks CMK	This template allows you to create an Azure Databricks workspace with Managed Disks CMK.
Deploy Azure Databricks Workspace with Managed Services CMK	This template allows you to create an Azure Databricks workspace with Managed Services CMK.
Deploy Data Lake Store account with encryption(Key Vault)	This template allows you to deploy an Azure Data Lake Store account with data encryption enabled. This account uses Azure Key Vault to manage the encryption key.
Add KeyVault Access Policy	Add an access policy to an existing KeyVault without removing existing policies.
User assigned identity role assignment template	A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on

Terraform (AzAPI provider) resource definition

The vaults/accessPolicies resource type can be deployed with operations that target:

• Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.KeyVault/vaults/accessPolicies@2022-11-01"
  name = "string"
  parent_id = "string"
  body = jsonencode({
    properties = {
      accessPolicies = [
        {
          applicationId = "string"
          objectId = "string"
          permissions = {
            certificates = [
              "string"
            ]
            keys = [
              "string"
            ]
            secrets = [
              "string"
            ]
            storage = [
              "string"
            ]
          }
          tenantId = "string"
        }
      ]
    }
  })
}

Property values

vaults/accessPolicies

Name	Description	Value
type	The resource type	"Microsoft.KeyVault/vaults/accessPolicies@2022-11-01"
name	The resource name	string (required)
parent_id	The ID of the resource that is the parent for this resource.	ID for resource of type: vaults
properties	Properties of the access policy	VaultAccessPolicyProperties (required)

VaultAccessPolicyProperties

Name	Description	Value
accessPolicies	An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.	AccessPolicyEntry[] (required)

AccessPolicyEntry

Name	Description	Value
applicationId	Application ID of the client making request on behalf of a principal	string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId	The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.	string (required)
permissions	Permissions the identity has for keys, secrets and certificates.	Permissions (required)
tenantId	The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.	string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

Permissions

Name	Description	Value
certificates	Permissions to certificates	String array containing any of: "all" "backup" "create" "delete" "deleteissuers" "get" "getissuers" "import" "list" "listissuers" "managecontacts" "manageissuers" "purge" "recover" "restore" "setissuers" "update"
keys	Permissions to keys	String array containing any of: "all" "backup" "create" "decrypt" "delete" "encrypt" "get" "getrotationpolicy" "import" "list" "purge" "recover" "release" "restore" "rotate" "setrotationpolicy" "sign" "unwrapKey" "update" "verify" "wrapKey"
secrets	Permissions to secrets	String array containing any of: "all" "backup" "delete" "get" "list" "purge" "recover" "restore" "set"
storage	Permissions to storage accounts	String array containing any of: "all" "backup" "delete" "deletesas" "get" "getsas" "list" "listsas" "purge" "recover" "regeneratekey" "restore" "set" "setsas" "update"