Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Remarks
For guidance on using key vaults for secure values, see Manage secrets by using Bicep.
For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.
For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.
Bicep resource definition
The vaults/secrets resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/secrets resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KeyVault/vaults/secrets@2024-12-01-preview' = {
parent: resourceSymbolicName
name: 'string'
properties: {
attributes: {
enabled: bool
exp: int
nbf: int
}
contentType: 'string'
value: 'string'
}
tags: {
{customized property}: 'string'
}
}
Property Values
Microsoft.KeyVault/vaults/secrets
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{1,127}$ (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: vaults |
| properties | Properties of the secret | SecretProperties (required) |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
SecretAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |
SecretCreateOrUpdateParametersTags
| Name | Description | Value |
|---|
SecretProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the secret. | SecretAttributes |
| contentType | The content type of the secret. | string |
| value | The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. | string |
Usage Examples
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Application Gateway with internal API Management and Web App | Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App. |
| Azure Function app and an HTTP-triggered function | This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key. |
| Create a Key Vault and a list of secrets | This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters |
| Create an API Management service with SSL from KeyVault | This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours. |
| Create an Azure Key Vault and a secret | This template creates an Azure Key Vault and a secret. |
| Create an Azure Key Vault with RBAC and a secret | This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets |
| FinOps hub | This template creates a new FinOps hub instance, including Data Explorer, Data Lake storage, and Data Factory. |
| Testing environment for Azure Firewall Premium | This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
ARM template resource definition
The vaults/secrets resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/secrets resource, add the following JSON to your template.
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2024-12-01-preview",
"name": "string",
"properties": {
"attributes": {
"enabled": "bool",
"exp": "int",
"nbf": "int"
},
"contentType": "string",
"value": "string"
},
"tags": {
"{customized property}": "string"
}
}
Property Values
Microsoft.KeyVault/vaults/secrets
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2024-12-01-preview' |
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{1,127}$ (required) |
| properties | Properties of the secret | SecretProperties (required) |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.KeyVault/vaults/secrets' |
SecretAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |
SecretCreateOrUpdateParametersTags
| Name | Description | Value |
|---|
SecretProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the secret. | SecretAttributes |
| contentType | The content type of the secret. | string |
| value | The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. | string |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Application Gateway with internal API Management and Web App |
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App. |
| Azure Function app and an HTTP-triggered function |
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key. |
| Connect to a Key Vault via private endpoint |
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint. |
| Create a Key Vault and a list of secrets |
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters |
| Create an API Management service with SSL from KeyVault |
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours. |
| Create an Application Gateway V2 with Key Vault |
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway. |
| Create an Azure Key Vault and a secret |
This template creates an Azure Key Vault and a secret. |
| Create an Azure Key Vault with RBAC and a secret |
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets |
| Create Azure Maps SAS token stored in an Azure Key Vault |
This template deploys and Azure Maps account and lists a Sas token based on the provided User Assigned identity to be stored in an Azure Key Vault secret. |
| Create ssh-keys and store in KeyVault |
This template uses the deploymentScript resource to generate ssh keys and stores the private key in keyVault. |
| creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP |
| creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP |
| creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
| FinOps hub |
This template creates a new FinOps hub instance, including Data Explorer, Data Lake storage, and Data Factory. |
| Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
| upgrades an Azure Stack HCI 22H2 cluster to 23H2 cluster |
This template upgrades an Azure Stack HCI 22H2 cluster to 23H2 cluster using an ARM template. |
Terraform (AzAPI provider) resource definition
The vaults/secrets resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/secrets resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KeyVault/vaults/secrets@2024-12-01-preview"
name = "string"
parent_id = "string"
tags = {
{customized property} = "string"
}
body = {
properties = {
attributes = {
enabled = bool
exp = int
nbf = int
}
contentType = "string"
value = "string"
}
}
}
Property Values
Microsoft.KeyVault/vaults/secrets
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{1,127}$ (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: vaults |
| properties | Properties of the secret | SecretProperties (required) |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.KeyVault/vaults/secrets@2024-12-01-preview" |
SecretAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |
SecretCreateOrUpdateParametersTags
| Name | Description | Value |
|---|
SecretProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the secret. | SecretAttributes |
| contentType | The content type of the secret. | string |
| value | The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. | string |