Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Remarks
For guidance on using key vaults for secure values, see Manage secrets by using Bicep.
For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.
For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.
Bicep resource definition
The vaults/keys resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/keys resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KeyVault/vaults/keys@2024-12-01-preview' = {
parent: resourceSymbolicName
name: 'string'
properties: {
attributes: {
enabled: bool
exp: int
exportable: bool
nbf: int
}
curveName: 'string'
keyOps: [
'string'
]
keySize: int
kty: 'string'
release_policy: {
contentType: 'string'
data: 'string'
}
rotationPolicy: {
attributes: {
expiryTime: 'string'
}
lifetimeActions: [
{
action: {
type: 'string'
}
trigger: {
timeAfterCreate: 'string'
timeBeforeExpiry: 'string'
}
}
]
}
}
tags: {
{customized property}: 'string'
}
}
Property Values
Microsoft.KeyVault/vaults/keys
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{1,127}$ (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: vaults |
| properties | The properties of the key to be created. | KeyProperties (required) |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
Action
| Name | Description | Value |
|---|---|---|
| type | The type of action. | 'notify' 'rotate' |
KeyAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether or not the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| exportable | Indicates if the private key can be exported. | bool |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |
KeyCreateParametersTags
| Name | Description | Value |
|---|
KeyProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the key. | KeyAttributes |
| curveName | The elliptic curve name. For valid values, see JsonWebKeyCurveName. Default for EC and EC-HSM keys is P-256 | 'P-256' 'P-256K' 'P-384' 'P-521' |
| keyOps | String array containing any of: 'decrypt' 'encrypt' 'import' 'release' 'sign' 'unwrapKey' 'verify' 'wrapKey' |
|
| keySize | The key size in bits. For example: 2048, 3072, or 4096 for RSA. Default for RSA and RSA-HSM keys is 2048. Exception made for bring your own key (BYOK), key exchange keys default to 4096. | int |
| kty | The type of the key. For valid values, see JsonWebKeyType. | 'EC' 'EC-HSM' 'RSA' 'RSA-HSM' |
| release_policy | Key release policy in response. It will be used for both output and input. Omitted if empty | KeyReleasePolicy |
| rotationPolicy | Key rotation policy in response. It will be used for both output and input. Omitted if empty | RotationPolicy |
KeyReleasePolicy
| Name | Description | Value |
|---|---|---|
| contentType | Content type and version of key release policy | string |
| data | Blob encoding the policy rules under which the key can be released. | string |
KeyRotationPolicyAttributes
| Name | Description | Value |
|---|---|---|
| expiryTime | The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. | string |
LifetimeAction
| Name | Description | Value |
|---|---|---|
| action | The action of key rotation policy lifetimeAction. | Action |
| trigger | The trigger of key rotation policy lifetimeAction. | Trigger |
RotationPolicy
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of key rotation policy. | KeyRotationPolicyAttributes |
| lifetimeActions | The lifetimeActions for key rotation action. | LifetimeAction[] |
Trigger
| Name | Description | Value |
|---|---|---|
| timeAfterCreate | The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |
| timeBeforeExpiry | The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |
Usage Examples
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Azure Storage Account Encryption with customer-managed key | This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault. |
ARM template resource definition
The vaults/keys resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/keys resource, add the following JSON to your template.
{
"type": "Microsoft.KeyVault/vaults/keys",
"apiVersion": "2024-12-01-preview",
"name": "string",
"properties": {
"attributes": {
"enabled": "bool",
"exp": "int",
"exportable": "bool",
"nbf": "int"
},
"curveName": "string",
"keyOps": [ "string" ],
"keySize": "int",
"kty": "string",
"release_policy": {
"contentType": "string",
"data": "string"
},
"rotationPolicy": {
"attributes": {
"expiryTime": "string"
},
"lifetimeActions": [
{
"action": {
"type": "string"
},
"trigger": {
"timeAfterCreate": "string",
"timeBeforeExpiry": "string"
}
}
]
}
},
"tags": {
"{customized property}": "string"
}
}
Property Values
Microsoft.KeyVault/vaults/keys
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2024-12-01-preview' |
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{1,127}$ (required) |
| properties | The properties of the key to be created. | KeyProperties (required) |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.KeyVault/vaults/keys' |
Action
| Name | Description | Value |
|---|---|---|
| type | The type of action. | 'notify' 'rotate' |
KeyAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether or not the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| exportable | Indicates if the private key can be exported. | bool |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |
KeyCreateParametersTags
| Name | Description | Value |
|---|
KeyProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the key. | KeyAttributes |
| curveName | The elliptic curve name. For valid values, see JsonWebKeyCurveName. Default for EC and EC-HSM keys is P-256 | 'P-256' 'P-256K' 'P-384' 'P-521' |
| keyOps | String array containing any of: 'decrypt' 'encrypt' 'import' 'release' 'sign' 'unwrapKey' 'verify' 'wrapKey' |
|
| keySize | The key size in bits. For example: 2048, 3072, or 4096 for RSA. Default for RSA and RSA-HSM keys is 2048. Exception made for bring your own key (BYOK), key exchange keys default to 4096. | int |
| kty | The type of the key. For valid values, see JsonWebKeyType. | 'EC' 'EC-HSM' 'RSA' 'RSA-HSM' |
| release_policy | Key release policy in response. It will be used for both output and input. Omitted if empty | KeyReleasePolicy |
| rotationPolicy | Key rotation policy in response. It will be used for both output and input. Omitted if empty | RotationPolicy |
KeyReleasePolicy
| Name | Description | Value |
|---|---|---|
| contentType | Content type and version of key release policy | string |
| data | Blob encoding the policy rules under which the key can be released. | string |
KeyRotationPolicyAttributes
| Name | Description | Value |
|---|---|---|
| expiryTime | The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. | string |
LifetimeAction
| Name | Description | Value |
|---|---|---|
| action | The action of key rotation policy lifetimeAction. | Action |
| trigger | The trigger of key rotation policy lifetimeAction. | Trigger |
RotationPolicy
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of key rotation policy. | KeyRotationPolicyAttributes |
| lifetimeActions | The lifetimeActions for key rotation action. | LifetimeAction[] |
Trigger
| Name | Description | Value |
|---|---|---|
| timeAfterCreate | The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |
| timeBeforeExpiry | The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Azure Storage Account Encryption with customer-managed key |
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault. |
| Create a Key in Azure KeyVault |
This module allows you to create a key in an existing KeyVault. |
Terraform (AzAPI provider) resource definition
The vaults/keys resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/keys resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KeyVault/vaults/keys@2024-12-01-preview"
name = "string"
parent_id = "string"
tags = {
{customized property} = "string"
}
body = {
properties = {
attributes = {
enabled = bool
exp = int
exportable = bool
nbf = int
}
curveName = "string"
keyOps = [
"string"
]
keySize = int
kty = "string"
release_policy = {
contentType = "string"
data = "string"
}
rotationPolicy = {
attributes = {
expiryTime = "string"
}
lifetimeActions = [
{
action = {
type = "string"
}
trigger = {
timeAfterCreate = "string"
timeBeforeExpiry = "string"
}
}
]
}
}
}
}
Property Values
Microsoft.KeyVault/vaults/keys
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{1,127}$ (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: vaults |
| properties | The properties of the key to be created. | KeyProperties (required) |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.KeyVault/vaults/keys@2024-12-01-preview" |
Action
| Name | Description | Value |
|---|---|---|
| type | The type of action. | 'notify' 'rotate' |
KeyAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether or not the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| exportable | Indicates if the private key can be exported. | bool |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |
KeyCreateParametersTags
| Name | Description | Value |
|---|
KeyProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the key. | KeyAttributes |
| curveName | The elliptic curve name. For valid values, see JsonWebKeyCurveName. Default for EC and EC-HSM keys is P-256 | 'P-256' 'P-256K' 'P-384' 'P-521' |
| keyOps | String array containing any of: 'decrypt' 'encrypt' 'import' 'release' 'sign' 'unwrapKey' 'verify' 'wrapKey' |
|
| keySize | The key size in bits. For example: 2048, 3072, or 4096 for RSA. Default for RSA and RSA-HSM keys is 2048. Exception made for bring your own key (BYOK), key exchange keys default to 4096. | int |
| kty | The type of the key. For valid values, see JsonWebKeyType. | 'EC' 'EC-HSM' 'RSA' 'RSA-HSM' |
| release_policy | Key release policy in response. It will be used for both output and input. Omitted if empty | KeyReleasePolicy |
| rotationPolicy | Key rotation policy in response. It will be used for both output and input. Omitted if empty | RotationPolicy |
KeyReleasePolicy
| Name | Description | Value |
|---|---|---|
| contentType | Content type and version of key release policy | string |
| data | Blob encoding the policy rules under which the key can be released. | string |
KeyRotationPolicyAttributes
| Name | Description | Value |
|---|---|---|
| expiryTime | The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. | string |
LifetimeAction
| Name | Description | Value |
|---|---|---|
| action | The action of key rotation policy lifetimeAction. | Action |
| trigger | The trigger of key rotation policy lifetimeAction. | Trigger |
RotationPolicy
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of key rotation policy. | KeyRotationPolicyAttributes |
| lifetimeActions | The lifetimeActions for key rotation action. | LifetimeAction[] |
Trigger
| Name | Description | Value |
|---|---|---|
| timeAfterCreate | The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |
| timeBeforeExpiry | The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |