Azure Key Vault REST API reference

Use Key Vault to safeguard and manage cryptographic keys, certificates and secrets used by cloud applications and services.

Key Vault operations

Operation	Description
Check Name Availability	Checks that the vault name is valid and is not already in use.
Create Or Update	Create or update a key vault in the specified subscription.
Update Access Policy	Update access policies in a key vault in the specified subscription.
Get	Gets the specified Azure key vault.
List	The List operation gets information about the vaults associated with the subscription.
List By Resource Group	The List operation gets information about the vaults associated with the subscription and within the specified resource group.
List By Subscription	The List operation gets information about the vaults associated with the subscription.
Update	Update a key vault in the specified subscription.
Delete	Deletes the specified Azure key vault.
Get Deleted	Gets the deleted Azure key vault.
List Deleted	Gets information about the deleted vaults in a subscription.
Purge	Permanently deletes the specified vault.

Private link operations

Operation	Description
List By Vault	Gets the private link resources supported for the key vault.

Private endpoint connections operations

Operation	Description
Get	Gets the specified private endpoint connection associated with the key vault.
List By Resource	The List operation gets information about the private endpoint connections associated with the vault.
Put	Updates the specified private endpoint connection associated with the key vault.
Delete	Deletes the specified private endpoint connection associated with the key vault.

Managed HSM operations

Operation	Description
Create Or Update	Create or update a managed HSM Pool in the specified subscription.
Get	Gets the specified managed HSM Pool.
List By Resource Group	The List operation gets information about the managed HSM Pools associated with the subscription and within the specified resource group.
List By Subscription	The List operation gets information about the managed HSM Pools associated with the subscription.
Update	Update a managed HSM Pool in the specified subscription.
Get Deleted	Gets the specified deleted managed HSM.
List Deleted	The List operation gets information about the deleted managed HSMs associated with the subscription.
Delete	Deletes the specified managed HSM Pool.
Purge Deleted	Permanently deletes the specified managed HSM.

Private link operations

Operation	Description
List By MHSM Resource	Gets the private link resources supported for the managed HSM pool.

Private endpoint connections operations

Operation	Description
Get	Gets the specified private endpoint connection associated with the managed HSM Pool.
List By Resource	The List operation gets information about the private endpoint connections associated with the managed HSM Pool.
Put	Updates the specified private endpoint connection associated with the managed HSM Pool.
Delete	Deletes the specified private endpoint connection associated with the managed HSM Pool.

HSM Security Domain operations

Operation	Description
Download	Retrieves the Security Domain from the managed HSM. Calling this endpoint can be used to activate a provisioned managed HSM resource.
Download Pending	Retrieves the Security Domain download operation status.
Upload	Restore the provided Security Domain.
Upload Pending	Get Security Domain upload operation status.

Managed HSM Settings operations

Operation	Description
Get Setting	Get specified account setting object. Retrieves the setting object of a specified setting name.
Get Settings	List account settings. Retrieves a list of all the available account settings that can be configured.
Update Setting	Updates key vault account setting, stores it, then returns the setting name and value to the client. Description of the pool setting to be updated

Role-based access control operations

Role assignment operations

Operation	Description
Get	Get the specified role assignment.
List	Gets role assignments for a scope.
Create	Creates a role assignment.
Delete	Deletes a role assignment.

Role definition operations

Operation	Description
Get	Get the specified role definition.
List	Get all role definitions that are applicable at scope and above.
Create Or Update	Creates or updates a custom role definition.
Delete	Deletes a custom role definition.

Backup/restore operations

Operation	Description
Full Backup	Creates a full backup using a user-provided SAS token to an Azure blob storage container. This operation is supported only by the Managed HSM service.
Backup Status	Returns the status of full backup operation.
Full Restore	Restores all key materials using the SAS token pointing to a previously stored Azure Blob storage backup folder.
Selective Restore	Restores all key versions of a given key using user supplied SAS token pointing to a previously stored Azure Blob storage backup folder.
Restore Status	Returns the status of restore operation.

Key operations (Key Vault/Managed HSM)

Operation	Description
Get Key	Gets the public part of a stored key.
Get Keys	List keys in the specified vault.
Get Key Versions	Retrieves a list of individual key versions with the same key name.
Create Key	Creates a new key, stores it, then returns key parameters and attributes to the client.
Import Key	Imports an externally created key, stores it, and returns key parameters and attributes to the client.
Update Key	The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault.
Delete Key	Deletes a key of any type from storage in Azure Key Vault.
Get Deleted Key	Gets the public part of a deleted key.
Get Deleted Keys	Lists the deleted keys in the specified vault.
Purge Deleted Key	Permanently deletes the specified key.
Recover Deleted Key	Recovers the deleted key to its latest version.
Backup Key	Requests that a backup of the specified key be downloaded to the client.
Restore Key	Restores a backed up key to a vault.
Release Key	Releases a key. The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission.
Rotate Key	Creates a new key version, stores it, then returns key parameters, attributes and policy to the client. The operation will rotate the key based on the key policy. It requires the keys/rotate permission.
Get Key Rotation Policy	Lists the policy for a key. The GetKeyRotationPolicy operation returns the specified key policy resources in the specified key vault. This operation requires the keys/get permission.
Update Key Rotation Policy	Updates the rotation policy for a key. Set specified members in the key policy. Leave others as undefined. This operation requires the keys/update permission.

Key operations (Managed HSM only)

Operation	Description
Get Random Bytes	Get the requested number of bytes containing random values from a managed HSM.

Cryptographic operations (Key Vault/Managed HSM)

Operation	Description
Decrypt	Decrypts a single block of encrypted data.
Encrypt	Encrypts an arbitrary sequence of bytes using an encryption key that is stored in a key vault.
Wrap Key	Wraps a symmetric key using a specified key.
Unwrap Key	Unwraps a symmetric key using the specified key that was initially used for wrapping that key.
Sign	Creates a signature from a digest using the specified key.
Verify	Verifies a signature using a specified key.

Secret operations (Key Vault only)

Operation	Description
Get Secret	Get a specified secret from a given key vault.
Get Secrets	List secrets in a specified key vault.
Get Secret Versions	List all versions of the specified secret.
Set Secret	Sets a secret in a specified key vault.
Update Secret	Updates the attributes associated with a specified secret in a given key vault.
Delete Secret	Deletes a secret from a specified key vault.
Get Deleted Secret	Gets the specified deleted secret.
Get Deleted Secrets	Lists deleted secrets for the specified vault.
Purge Deleted Secret	Permanently deletes the specified secret.
Recover Deleted Secret	Recovers the deleted secret to the latest version.
Backup Secret	Backs up the specified secret.
Restore Secret	Restores a backed up secret to a vault.

Storage account key management operations (Key Vault only)

Storage Account configuration operations

Operation	Description
Get Storage Account	Gets information about a specified storage account. This operation requires the storage/get permission.
Get Storage Accounts	List storage accounts managed by the specified key vault. This operation requires the storage/list permission.
Update Storage Account	Updates the specified attributes associated with the given storage account. This operation requires the storage/set/update permission.
Set Storage Account	Creates or updates a new storage account. This operation requires the storage/set permission.
Delete Storage Account	Deletes a storage account. This operation requires the storage/delete permission.
Get Deleted Storage Account	Gets the specified deleted storage account.
Get Deleted Storage Accounts	Lists deleted storage accounts for the specified vault.
Purge Deleted Storage Account	Permanently deletes the specified storage account.
Recover Deleted Storage Account	Recovers the deleted storage account.
Backup Storage Account	Backs up the specified storage account.
Restore Storage Account	Restores a backed-up storage account to a vault.

Storage Account key operations

Operation	Description
Regenerate Storage Account Key	Regenerates the specified key value for the given storage account. This operation requires the storage/regeneratekey permission.

Storage Account SAS operations

Operation	Description
Get Sas Definition	Gets information about a SAS definition for the specified storage account. This operation requires the storage/getsas permission.
Get Sas Definitions	List storage SAS definitions for the given storage account. This operation requires the storage/listsas permission.
Set Sas Definition	Creates or updates a new SAS definition for the specified storage account. This operation requires the storage/setsas permission.
Update Sas Definition	Updates the specified attributes associated with the given SAS definition. This operation requires the storage/setsas permission.
Delete Sas Definition	Deletes a SAS definition from a specified storage account. This operation requires the storage/deletesas permission.
Get Deleted Sas Definition	Gets the specified deleted sas definition.
Get Deleted Sas Definitions	Lists deleted SAS definitions for the specified vault and storage account.
Recover Deleted Sas Definition	Recovers the deleted SAS definition.

Certificate operations (Key Vault only)

Operation	Description
Get Certificate	Gets information about a certificate.
Get Certificates	List certificates in a specified key vault
Get Certificate Versions	List the versions of a certificate.
Create Certificate	Creates a new certificate.
Import Certificate	Imports a certificate into a specified key vault.
Merge Certificate	Merges a certificate or a certificate chain with a key pair existing on the server.
Get Certificate Operation	Gets the creation operation of a certificate.
Update Certificate Operation	Updates a certificate operation.
Delete Certificate Operation	Deletes the creation operation for a specific certificate.
Update Certificate	Updates the specified attributes associated with the given certificate.
Delete Certificate	Deletes a certificate from a specified key vault.
Get Deleted Certificate	Retrieves information about the specified deleted certificate.
Get Deleted Certificates	Lists the deleted certificates in the specified vault currently available for recovery.
Purge Deleted Certificate	Permanently deletes the specified deleted certificate.
Recover Deleted Certificate	Recovers the deleted certificate back to its current version under /certificates.
Backup Certificate	Backs up the specified certificate.
Restore Certificate	Restores a backed-up certificate to a vault.

Certificate policy operations

Operation	Description
Get Certificate Policy	Lists the policy for a certificate.
Update Certificate Policy	Updates the policy for a certificate.

Certificate contacts operations

Operation	Description
Get Certificate Contacts	Lists the certificate contacts for a specified key vault.
Set Certificate Contacts	Sets the certificate contacts for the specified key vault.
Delete Certificate Contacts	Deletes the certificate contacts for a specified key vault.

Certificate issuer operations

Operation	Description
Get Certificate Issuer	Lists the specified certificate issuer.
Get Certificate Issuers	List certificate issuers for a specified key vault.
Set Certificate Issuer	Sets the specified certificate issuer.
Update Certificate Issuer	Updates the specified certificate issuer.
Delete Certificate Issuer	Deletes the specified certificate issuer.

See also

• For concepts and detailed information about Key Vault, see About Azure Key Vault.
• For concepts and detailed information about Managed HSM, see What is Azure Key Vault Managed HSM?
• For concepts and detailed information about data plane objects, see About keys, secrets, and certificates.
• For general information on constructing Azure REST API requests, see the Azure REST API reference
• For information specific to constructing Key Vault REST API requests, see
  • Common HTTP request parameters and headers
  • Authentication, requests and responses
• See the following topics for additional Key Vault concepts and details
  • Key Vault Developer's Guide
  • Key Vault versions