Microsoft.KeyVault vaults/secrets 2023-02-01

Bicep resource definition

The vaults/secrets resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Remarks

For guidance on using key vaults for secure values, see Manage secrets by using Bicep.

For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.

For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.

Resource format

To create a Microsoft.KeyVault/vaults/secrets resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = {
  name: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  parent: resourceSymbolicName
  properties: {
    attributes: {
      enabled: bool
      exp: int
      nbf: int
    }
    contentType: 'string'
    value: 'string'
  }
}

Property values

vaults/secrets

Name Description Value
name The resource name

See how to set names and types for child resources in Bicep.
string (required)

Character limit: 1-127

Valid characters:
Alphanumerics and hyphens.
tags The tags that will be assigned to the secret. Dictionary of tag names and values. See Tags in templates
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
Symbolic name for resource of type: vaults
properties Properties of the secret SecretProperties (required)

SecretProperties

Name Description Value
attributes The attributes of the secret. SecretAttributes
contentType The content type of the secret. string
value The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. string

SecretAttributes

Name Description Value
enabled Determines whether the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
creates an Azure Stack HCI 23H2 cluster

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
creates an Azure Stack HCI 23H2 cluster

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP
creates an Azure Stack HCI 23H2 cluster in Switchless-Dual-link Networking mode

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
creates an Azure Stack HCI 23H2 cluster in Switchless-SingleLink networking mode

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
Create an Azure Key Vault and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret.
Create an Azure Key Vault with RBAC and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Create a Key Vault and a list of secrets

Deploy to Azure
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create Azure Maps SAS token stored in an Azure Key Vault

Deploy to Azure
This template deploys and Azure Maps account and lists a Sas token based on the provided User Assigned identity to be stored in an Azure Key Vault secret.
Create an Application Gateway V2 with Key Vault

Deploy to Azure
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway.
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Create ssh-keys and store in KeyVault

Deploy to Azure
This template uses the deploymentScript resource to generate ssh keys and stores the private key in keyVault.
Azure Function app and an HTTP-triggered function

Deploy to Azure
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key.
Application Gateway with internal API Management and Web App

Deploy to Azure
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.

ARM template resource definition

The vaults/secrets resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Remarks

For guidance on using key vaults for secure values, see Manage secrets by using Bicep.

For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.

For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.

Resource format

To create a Microsoft.KeyVault/vaults/secrets resource, add the following JSON to your template.

{
  "type": "Microsoft.KeyVault/vaults/secrets",
  "apiVersion": "2023-02-01",
  "name": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "properties": {
    "attributes": {
      "enabled": "bool",
      "exp": "int",
      "nbf": "int"
    },
    "contentType": "string",
    "value": "string"
  }
}

Property values

vaults/secrets

Name Description Value
type The resource type 'Microsoft.KeyVault/vaults/secrets'
apiVersion The resource api version '2023-02-01'
name The resource name

See how to set names and types for child resources in JSON ARM templates.
string (required)

Character limit: 1-127

Valid characters:
Alphanumerics and hyphens.
tags The tags that will be assigned to the secret. Dictionary of tag names and values. See Tags in templates
properties Properties of the secret SecretProperties (required)

SecretProperties

Name Description Value
attributes The attributes of the secret. SecretAttributes
contentType The content type of the secret. string
value The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. string

SecretAttributes

Name Description Value
enabled Determines whether the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
creates an Azure Stack HCI 23H2 cluster

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
creates an Azure Stack HCI 23H2 cluster

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP
creates an Azure Stack HCI 23H2 cluster in Switchless-Dual-link Networking mode

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
creates an Azure Stack HCI 23H2 cluster in Switchless-SingleLink networking mode

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
Create an Azure Key Vault and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret.
Create an Azure Key Vault with RBAC and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Create a Key Vault and a list of secrets

Deploy to Azure
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create Azure Maps SAS token stored in an Azure Key Vault

Deploy to Azure
This template deploys and Azure Maps account and lists a Sas token based on the provided User Assigned identity to be stored in an Azure Key Vault secret.
Create an Application Gateway V2 with Key Vault

Deploy to Azure
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway.
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Create ssh-keys and store in KeyVault

Deploy to Azure
This template uses the deploymentScript resource to generate ssh keys and stores the private key in keyVault.
Azure Function app and an HTTP-triggered function

Deploy to Azure
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key.
Application Gateway with internal API Management and Web App

Deploy to Azure
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.

Terraform (AzAPI provider) resource definition

The vaults/secrets resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/secrets resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.KeyVault/vaults/secrets@2023-02-01"
  name = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  body = jsonencode({
    properties = {
      attributes = {
        enabled = bool
        exp = int
        nbf = int
      }
      contentType = "string"
      value = "string"
    }
  })
}

Property values

vaults/secrets

Name Description Value
type The resource type "Microsoft.KeyVault/vaults/secrets@2023-02-01"
name The resource name string (required)

Character limit: 1-127

Valid characters:
Alphanumerics and hyphens.
parent_id The ID of the resource that is the parent for this resource. ID for resource of type: vaults
tags The tags that will be assigned to the secret. Dictionary of tag names and values.
properties Properties of the secret SecretProperties (required)

SecretProperties

Name Description Value
attributes The attributes of the secret. SecretAttributes
contentType The content type of the secret. string
value The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. string

SecretAttributes

Name Description Value
enabled Determines whether the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int