Vaults - Update Access Policy

Reference

Service:: Key Vault

API Version:: 2022-07-01

Update access policies in a key vault in the specified subscription.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicies/{operationKind}?api-version=2022-07-01

URI Parameters

Name	In	Required	Type	Description
operationKind	path	True	AccessPolicyUpdateKind	Name of the operation
resourceGroupName	path	True	string	The name of the Resource Group to which the vault belongs.
subscriptionId	path	True	string	Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.
vaultName	path	True	string	Name of the vault Regex pattern: `^[a-zA-Z0-9-]{3,24}$`
api-version	query	True	string	Client Api Version.

Request Body

Name	Required	Type	Description
properties	True	VaultAccessPolicyProperties	Properties of the access policy

Responses

Name	Type	Description
200 OK	VaultAccessPolicyParameters	The updated access policies
201 Created	VaultAccessPolicyParameters	The updated access policies
Other Status Codes	CloudError	Error response describing why the operation failed.

Examples

Add an access policy, or update an access policy with new permissions

PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/add?api-version=2022-07-01

{
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}

from azure.identity import DefaultAzureCredential
from azure.mgmt.keyvault import KeyVaultManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-keyvault
# USAGE
    python update_access_policies_add.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = KeyVaultManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="00000000-0000-0000-0000-000000000000",
    )

    response = client.vaults.update_access_policy(
        resource_group_name="sample-group",
        vault_name="sample-vault",
        operation_kind="add",
        parameters={
            "properties": {
                "accessPolicies": [
                    {
                        "objectId": "00000000-0000-0000-0000-000000000000",
                        "permissions": {"certificates": ["get"], "keys": ["encrypt"], "secrets": ["get"]},
                        "tenantId": "00000000-0000-0000-0000-000000000000",
                    }
                ]
            }
        },
    )
    print(response)


# x-ms-original-file: specification/keyvault/resource-manager/Microsoft.KeyVault/stable/2022-07-01/examples/updateAccessPoliciesAdd.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:: 200

{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}

Status code:: 201

{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}

Definitions

Name	Description
AccessPolicyEntry	An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.
AccessPolicyUpdateKind	Name of the operation
CertificatePermissions	Permissions to certificates
CloudError	An error response from Key Vault resource provider
CloudErrorBody	An error response from Key Vault resource provider
KeyPermissions	Permissions to keys
Permissions	Permissions the identity has for keys, secrets, certificates and storage.
SecretPermissions	Permissions to secrets
StoragePermissions	Permissions to storage accounts
VaultAccessPolicyParameters	Parameters for updating the access policy in a vault
VaultAccessPolicyProperties	Properties of the vault access policy

AccessPolicyEntry

An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.

Name	Type	Description
applicationId	string	Application ID of the client making request on behalf of a principal
objectId	string	The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
permissions	Permissions	Permissions the identity has for keys, secrets and certificates.
tenantId	string	The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

AccessPolicyUpdateKind

Name of the operation

Name	Type	Description
add	string
remove	string
replace	string

CertificatePermissions

Permissions to certificates

Name	Type	Description
all	string
backup	string
create	string
delete	string
deleteissuers	string
get	string
getissuers	string
import	string
list	string
listissuers	string
managecontacts	string
manageissuers	string
purge	string
recover	string
restore	string
setissuers	string
update	string

CloudError

An error response from Key Vault resource provider

Name	Type	Description
error	CloudErrorBody	An error response from Key Vault resource provider

CloudErrorBody

An error response from Key Vault resource provider

Name	Type	Description
code	string	Error code. This is a mnemonic that can be consumed programmatically.
message	string	User friendly error message. The message is typically localized and may vary with service version.

KeyPermissions

Permissions to keys

Name	Type	Description
all	string
backup	string
create	string
decrypt	string
delete	string
encrypt	string
get	string
getrotationpolicy	string
import	string
list	string
purge	string
recover	string
release	string
restore	string
rotate	string
setrotationpolicy	string
sign	string
unwrapKey	string
update	string
verify	string
wrapKey	string

Permissions

Permissions the identity has for keys, secrets, certificates and storage.

Name	Type	Description
certificates	CertificatePermissions[]	Permissions to certificates
keys	KeyPermissions[]	Permissions to keys
secrets	SecretPermissions[]	Permissions to secrets
storage	StoragePermissions[]	Permissions to storage accounts

SecretPermissions

Permissions to secrets

Name	Type	Description
all	string
backup	string
delete	string
get	string
list	string
purge	string
recover	string
restore	string
set	string

StoragePermissions

Permissions to storage accounts

Name	Type	Description
all	string
backup	string
delete	string
deletesas	string
get	string
getsas	string
list	string
listsas	string
purge	string
recover	string
regeneratekey	string
restore	string
set	string
setsas	string
update	string

VaultAccessPolicyParameters

Parameters for updating the access policy in a vault

Name	Type	Description
id	string	The resource id of the access policy.
location	string	The resource type of the access policy.
name	string	The resource name of the access policy.
properties	VaultAccessPolicyProperties	Properties of the access policy
type	string	The resource name of the access policy.

VaultAccessPolicyProperties

Properties of the vault access policy

Name	Type	Description
accessPolicies	AccessPolicyEntry[]	An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.