Vaults - Update Access Policy

Service:

Key Vault

API Version:

2022-07-01

Update access policies in a key vault in the specified subscription.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicies/{operationKind}?api-version=2022-07-01

URI Parameters

Name	In	Required	Type	Description
operationKind	path	True	AccessPolicyUpdateKind	Name of the operation
resourceGroupName	path	True	string	The name of the Resource Group to which the vault belongs.
subscriptionId	path	True	string	Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.
vaultName	path	True	string pattern: ^[a-zA-Z0-9-]{3,24}$	Name of the vault
api-version	query	True	string	Client Api Version.

Request Body

Name	Required	Type	Description
properties	True	VaultAccessPolicyProperties	Properties of the access policy

Responses

Name	Type	Description
200 OK	VaultAccessPolicyParameters	The updated access policies
201 Created	VaultAccessPolicyParameters	The updated access policies
Other Status Codes	CloudError	Error response describing why the operation failed.

Examples

Add an access policy, or update an access policy with new permissions

Sample request

HTTP

PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/add?api-version=2022-07-01

{
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}

Python

from azure.identity import DefaultAzureCredential
from azure.mgmt.keyvault import KeyVaultManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-keyvault
# USAGE
    python update_access_policies_add.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = KeyVaultManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="00000000-0000-0000-0000-000000000000",
    )

    response = client.vaults.update_access_policy(
        resource_group_name="sample-group",
        vault_name="sample-vault",
        operation_kind="add",
        parameters={
            "properties": {
                "accessPolicies": [
                    {
                        "objectId": "00000000-0000-0000-0000-000000000000",
                        "permissions": {"certificates": ["get"], "keys": ["encrypt"], "secrets": ["get"]},
                        "tenantId": "00000000-0000-0000-0000-000000000000",
                    }
                ]
            }
        },
    )
    print(response)


# x-ms-original-file: specification/keyvault/resource-manager/Microsoft.KeyVault/stable/2022-07-01/examples/updateAccessPoliciesAdd.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:

200

{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}

Status code:

201

{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}

Definitions

Name	Description
AccessPolicyEntry	An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.
AccessPolicyUpdateKind	Name of the operation
CertificatePermissions	Permissions to certificates
CloudError	An error response from Key Vault resource provider
CloudErrorBody	An error response from Key Vault resource provider
KeyPermissions	Permissions to keys
Permissions	Permissions the identity has for keys, secrets, certificates and storage.
SecretPermissions	Permissions to secrets
StoragePermissions	Permissions to storage accounts
VaultAccessPolicyParameters	Parameters for updating the access policy in a vault
VaultAccessPolicyProperties	Properties of the vault access policy

AccessPolicyEntry

Object

An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.

Name	Type	Description
applicationId	string (uuid)	Application ID of the client making request on behalf of a principal
objectId	string	The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
permissions	Permissions	Permissions the identity has for keys, secrets and certificates.
tenantId	string (uuid)	The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

AccessPolicyUpdateKind

Enumeration

Name of the operation

Value	Description
add
remove
replace

CertificatePermissions

Enumeration

Permissions to certificates

Value	Description
all
backup
create
delete
deleteissuers
get
getissuers
import
list
listissuers
managecontacts
manageissuers
purge
recover
restore
setissuers
update

CloudError

Object

An error response from Key Vault resource provider

Name	Type	Description
error	CloudErrorBody	An error response from Key Vault resource provider

CloudErrorBody

Object

An error response from Key Vault resource provider

Name	Type	Description
code	string	Error code. This is a mnemonic that can be consumed programmatically.
message	string	User friendly error message. The message is typically localized and may vary with service version.

KeyPermissions

Enumeration

Permissions to keys

Value	Description
all
backup
create
decrypt
delete
encrypt
get
getrotationpolicy
import
list
purge
recover
release
restore
rotate
setrotationpolicy
sign
unwrapKey
update
verify
wrapKey

Permissions

Object

Permissions the identity has for keys, secrets, certificates and storage.

Name	Type	Description
certificates	CertificatePermissions[]	Permissions to certificates
keys	KeyPermissions[]	Permissions to keys
secrets	SecretPermissions[]	Permissions to secrets
storage	StoragePermissions[]	Permissions to storage accounts

SecretPermissions

Enumeration

Permissions to secrets

Value	Description
all
backup
delete
get
list
purge
recover
restore
set

StoragePermissions

Enumeration

Permissions to storage accounts

Value	Description
all
backup
delete
deletesas
get
getsas
list
listsas
purge
recover
regeneratekey
restore
set
setsas
update

VaultAccessPolicyParameters

Object

Parameters for updating the access policy in a vault

Name	Type	Description
id	string	The resource id of the access policy.
location	string	The resource type of the access policy.
name	string	The resource name of the access policy.
properties	VaultAccessPolicyProperties	Properties of the access policy
type	string	The resource name of the access policy.

VaultAccessPolicyProperties

Object

Properties of the vault access policy

Name	Type	Description
accessPolicies	AccessPolicyEntry[]	An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.