Microsoft.KeyVault vaults/accessPolicies
Bicep resource definition
The vaults/accessPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KeyVault/vaults/accessPolicies@2023-07-01' = {
name: 'string'
parent: resourceSymbolicName
properties: {
accessPolicies: [
{
applicationId: 'string'
objectId: 'string'
permissions: {
certificates: [
'string'
]
keys: [
'string'
]
secrets: [
'string'
]
storage: [
'string'
]
}
tenantId: 'string'
}
]
}
}
Property values
vaults/accessPolicies
Name | Description | Value |
---|---|---|
name | The resource name See how to set names and types for child resources in Bicep. |
string (required) |
parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: vaults |
properties | Properties of the access policy | VaultAccessPolicyProperties (required) |
VaultAccessPolicyProperties
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | AccessPolicyEntry[] (required) |
AccessPolicyEntry
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
Permissions
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: 'all' 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
keys | Permissions to keys | String array containing any of: 'all' 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'getrotationpolicy' 'import' 'list' 'purge' 'recover' 'release' 'restore' 'rotate' 'setrotationpolicy' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
secrets | Permissions to secrets | String array containing any of: 'all' 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
storage | Permissions to storage accounts | String array containing any of: 'all' 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Create an Azure SQL Server, with data encryption protector |
This template creates an Azure SQL server, activates the data encryption protector using a given key stored in a given Key Vault |
Deploy an Azure Databricks Workspace with PE,CMK all forms |
This template allows you to create an Azure Databricks workspace with PrivateEndpoint and managed services and CMK with DBFS encryption. |
Deploy an Azure Databricks Workspace with all 3 forms of CMK |
This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption. |
Deploy an Azure Databricks WS with CMK for DBFS encryption |
This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption |
Deploy an Azure Databricks Workspace with Managed Disks CMK |
This template allows you to create an Azure Databricks workspace with Managed Disks CMK. |
Deploy Azure Databricks Workspace with Managed Services CMK |
This template allows you to create an Azure Databricks workspace with Managed Services CMK. |
Deploy Data Lake Store account with encryption(Key Vault) |
This template allows you to deploy an Azure Data Lake Store account with data encryption enabled. This account uses Azure Key Vault to manage the encryption key. |
Add KeyVault Access Policy |
Add an access policy to an existing KeyVault without removing existing policies. |
User assigned identity role assignment template |
A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on |
ARM template resource definition
The vaults/accessPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following JSON to your template.
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2023-07-01",
"name": "string",
"properties": {
"accessPolicies": [
{
"applicationId": "string",
"objectId": "string",
"permissions": {
"certificates": [ "string" ],
"keys": [ "string" ],
"secrets": [ "string" ],
"storage": [ "string" ]
},
"tenantId": "string"
}
]
}
}
Property values
vaults/accessPolicies
Name | Description | Value |
---|---|---|
type | The resource type | 'Microsoft.KeyVault/vaults/accessPolicies' |
apiVersion | The resource api version | '2023-07-01' |
name | The resource name See how to set names and types for child resources in JSON ARM templates. |
string (required) |
properties | Properties of the access policy | VaultAccessPolicyProperties (required) |
VaultAccessPolicyProperties
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | AccessPolicyEntry[] (required) |
AccessPolicyEntry
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
Permissions
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: 'all' 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
keys | Permissions to keys | String array containing any of: 'all' 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'getrotationpolicy' 'import' 'list' 'purge' 'recover' 'release' 'restore' 'rotate' 'setrotationpolicy' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
secrets | Permissions to secrets | String array containing any of: 'all' 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
storage | Permissions to storage accounts | String array containing any of: 'all' 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Create an Azure SQL Server, with data encryption protector |
This template creates an Azure SQL server, activates the data encryption protector using a given key stored in a given Key Vault |
Deploy an Azure Databricks Workspace with PE,CMK all forms |
This template allows you to create an Azure Databricks workspace with PrivateEndpoint and managed services and CMK with DBFS encryption. |
Deploy an Azure Databricks Workspace with all 3 forms of CMK |
This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption. |
Deploy an Azure Databricks WS with CMK for DBFS encryption |
This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption |
Deploy an Azure Databricks Workspace with Managed Disks CMK |
This template allows you to create an Azure Databricks workspace with Managed Disks CMK. |
Deploy Azure Databricks Workspace with Managed Services CMK |
This template allows you to create an Azure Databricks workspace with Managed Services CMK. |
Deploy Data Lake Store account with encryption(Key Vault) |
This template allows you to deploy an Azure Data Lake Store account with data encryption enabled. This account uses Azure Key Vault to manage the encryption key. |
Add KeyVault Access Policy |
Add an access policy to an existing KeyVault without removing existing policies. |
User assigned identity role assignment template |
A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on |
Terraform (AzAPI provider) resource definition
The vaults/accessPolicies resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KeyVault/vaults/accessPolicies@2023-07-01"
name = "string"
parent_id = "string"
body = jsonencode({
properties = {
accessPolicies = [
{
applicationId = "string"
objectId = "string"
permissions = {
certificates = [
"string"
]
keys = [
"string"
]
secrets = [
"string"
]
storage = [
"string"
]
}
tenantId = "string"
}
]
}
})
}
Property values
vaults/accessPolicies
Name | Description | Value |
---|---|---|
type | The resource type | "Microsoft.KeyVault/vaults/accessPolicies@2023-07-01" |
name | The resource name | string (required) |
parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: vaults |
properties | Properties of the access policy | VaultAccessPolicyProperties (required) |
VaultAccessPolicyProperties
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | AccessPolicyEntry[] (required) |
AccessPolicyEntry
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string (required) Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
Permissions
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: "all" "backup" "create" "delete" "deleteissuers" "get" "getissuers" "import" "list" "listissuers" "managecontacts" "manageissuers" "purge" "recover" "restore" "setissuers" "update" |
keys | Permissions to keys | String array containing any of: "all" "backup" "create" "decrypt" "delete" "encrypt" "get" "getrotationpolicy" "import" "list" "purge" "recover" "release" "restore" "rotate" "setrotationpolicy" "sign" "unwrapKey" "update" "verify" "wrapKey" |
secrets | Permissions to secrets | String array containing any of: "all" "backup" "delete" "get" "list" "purge" "recover" "restore" "set" |
storage | Permissions to storage accounts | String array containing any of: "all" "backup" "delete" "deletesas" "get" "getsas" "list" "listsas" "purge" "recover" "regeneratekey" "restore" "set" "setsas" "update" |