Microsoft.KeyVault vaults/accessPolicies

Bicep resource definition

The vaults/accessPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.KeyVault/vaults/accessPolicies@2023-07-01' = {
  name: 'string'
  parent: resourceSymbolicName
  properties: {
    accessPolicies: [
      {
        applicationId: 'string'
        objectId: 'string'
        permissions: {
          certificates: [
            'string'
          ]
          keys: [
            'string'
          ]
          secrets: [
            'string'
          ]
          storage: [
            'string'
          ]
        }
        tenantId: 'string'
      }
    ]
  }
}

Property values

vaults/accessPolicies

Name Description Value
name The resource name

See how to set names and types for child resources in Bicep.
string (required)
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
Symbolic name for resource of type: vaults
properties Properties of the access policy VaultAccessPolicyProperties (required)

VaultAccessPolicyProperties

Name Description Value
accessPolicies An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. AccessPolicyEntry[] (required)

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string (required)

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
'all'
'backup'
'create'
'delete'
'deleteissuers'
'get'
'getissuers'
'import'
'list'
'listissuers'
'managecontacts'
'manageissuers'
'purge'
'recover'
'restore'
'setissuers'
'update'
keys Permissions to keys String array containing any of:
'all'
'backup'
'create'
'decrypt'
'delete'
'encrypt'
'get'
'getrotationpolicy'
'import'
'list'
'purge'
'recover'
'release'
'restore'
'rotate'
'setrotationpolicy'
'sign'
'unwrapKey'
'update'
'verify'
'wrapKey'
secrets Permissions to secrets String array containing any of:
'all'
'backup'
'delete'
'get'
'list'
'purge'
'recover'
'restore'
'set'
storage Permissions to storage accounts String array containing any of:
'all'
'backup'
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'purge'
'recover'
'regeneratekey'
'restore'
'set'
'setsas'
'update'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an Azure SQL Server, with data encryption protector

Deploy to Azure
This template creates an Azure SQL server, activates the data encryption protector using a given key stored in a given Key Vault
Deploy an Azure Databricks Workspace with PE,CMK all forms

Deploy to Azure
This template allows you to create an Azure Databricks workspace with PrivateEndpoint and managed services and CMK with DBFS encryption.
Deploy an Azure Databricks Workspace with all 3 forms of CMK

Deploy to Azure
This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption.
Deploy an Azure Databricks WS with CMK for DBFS encryption

Deploy to Azure
This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption
Deploy an Azure Databricks Workspace with Managed Disks CMK

Deploy to Azure
This template allows you to create an Azure Databricks workspace with Managed Disks CMK.
Deploy Azure Databricks Workspace with Managed Services CMK

Deploy to Azure
This template allows you to create an Azure Databricks workspace with Managed Services CMK.
Deploy Data Lake Store account with encryption(Key Vault)

Deploy to Azure
This template allows you to deploy an Azure Data Lake Store account with data encryption enabled. This account uses Azure Key Vault to manage the encryption key.
Add KeyVault Access Policy

Deploy to Azure
Add an access policy to an existing KeyVault without removing existing policies.
User assigned identity role assignment template

Deploy to Azure
A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on

ARM template resource definition

The vaults/accessPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following JSON to your template.

{
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "apiVersion": "2023-07-01",
  "name": "string",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": "string",
        "objectId": "string",
        "permissions": {
          "certificates": [ "string" ],
          "keys": [ "string" ],
          "secrets": [ "string" ],
          "storage": [ "string" ]
        },
        "tenantId": "string"
      }
    ]
  }
}

Property values

vaults/accessPolicies

Name Description Value
type The resource type 'Microsoft.KeyVault/vaults/accessPolicies'
apiVersion The resource api version '2023-07-01'
name The resource name

See how to set names and types for child resources in JSON ARM templates.
string (required)
properties Properties of the access policy VaultAccessPolicyProperties (required)

VaultAccessPolicyProperties

Name Description Value
accessPolicies An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. AccessPolicyEntry[] (required)

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string (required)

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
'all'
'backup'
'create'
'delete'
'deleteissuers'
'get'
'getissuers'
'import'
'list'
'listissuers'
'managecontacts'
'manageissuers'
'purge'
'recover'
'restore'
'setissuers'
'update'
keys Permissions to keys String array containing any of:
'all'
'backup'
'create'
'decrypt'
'delete'
'encrypt'
'get'
'getrotationpolicy'
'import'
'list'
'purge'
'recover'
'release'
'restore'
'rotate'
'setrotationpolicy'
'sign'
'unwrapKey'
'update'
'verify'
'wrapKey'
secrets Permissions to secrets String array containing any of:
'all'
'backup'
'delete'
'get'
'list'
'purge'
'recover'
'restore'
'set'
storage Permissions to storage accounts String array containing any of:
'all'
'backup'
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'purge'
'recover'
'regeneratekey'
'restore'
'set'
'setsas'
'update'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an Azure SQL Server, with data encryption protector

Deploy to Azure
This template creates an Azure SQL server, activates the data encryption protector using a given key stored in a given Key Vault
Deploy an Azure Databricks Workspace with PE,CMK all forms

Deploy to Azure
This template allows you to create an Azure Databricks workspace with PrivateEndpoint and managed services and CMK with DBFS encryption.
Deploy an Azure Databricks Workspace with all 3 forms of CMK

Deploy to Azure
This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption.
Deploy an Azure Databricks WS with CMK for DBFS encryption

Deploy to Azure
This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption
Deploy an Azure Databricks Workspace with Managed Disks CMK

Deploy to Azure
This template allows you to create an Azure Databricks workspace with Managed Disks CMK.
Deploy Azure Databricks Workspace with Managed Services CMK

Deploy to Azure
This template allows you to create an Azure Databricks workspace with Managed Services CMK.
Deploy Data Lake Store account with encryption(Key Vault)

Deploy to Azure
This template allows you to deploy an Azure Data Lake Store account with data encryption enabled. This account uses Azure Key Vault to manage the encryption key.
Add KeyVault Access Policy

Deploy to Azure
Add an access policy to an existing KeyVault without removing existing policies.
User assigned identity role assignment template

Deploy to Azure
A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on

Terraform (AzAPI provider) resource definition

The vaults/accessPolicies resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.KeyVault/vaults/accessPolicies@2023-07-01"
  name = "string"
  parent_id = "string"
  body = jsonencode({
    properties = {
      accessPolicies = [
        {
          applicationId = "string"
          objectId = "string"
          permissions = {
            certificates = [
              "string"
            ]
            keys = [
              "string"
            ]
            secrets = [
              "string"
            ]
            storage = [
              "string"
            ]
          }
          tenantId = "string"
        }
      ]
    }
  })
}

Property values

vaults/accessPolicies

Name Description Value
type The resource type "Microsoft.KeyVault/vaults/accessPolicies@2023-07-01"
name The resource name string (required)
parent_id The ID of the resource that is the parent for this resource. ID for resource of type: vaults
properties Properties of the access policy VaultAccessPolicyProperties (required)

VaultAccessPolicyProperties

Name Description Value
accessPolicies An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. AccessPolicyEntry[] (required)

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string (required)

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
"all"
"backup"
"create"
"delete"
"deleteissuers"
"get"
"getissuers"
"import"
"list"
"listissuers"
"managecontacts"
"manageissuers"
"purge"
"recover"
"restore"
"setissuers"
"update"
keys Permissions to keys String array containing any of:
"all"
"backup"
"create"
"decrypt"
"delete"
"encrypt"
"get"
"getrotationpolicy"
"import"
"list"
"purge"
"recover"
"release"
"restore"
"rotate"
"setrotationpolicy"
"sign"
"unwrapKey"
"update"
"verify"
"wrapKey"
secrets Permissions to secrets String array containing any of:
"all"
"backup"
"delete"
"get"
"list"
"purge"
"recover"
"restore"
"set"
storage Permissions to storage accounts String array containing any of:
"all"
"backup"
"delete"
"deletesas"
"get"
"getsas"
"list"
"listsas"
"purge"
"recover"
"regeneratekey"
"restore"
"set"
"setsas"
"update"