Vaults - Update Access Policy
Update access policies in a key vault in the specified subscription.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicies/{operationKind}?api-version=2022-07-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
operation
|
path | True |
Name of the operation |
|
resource
|
path | True |
string |
The name of the Resource Group to which the vault belongs. |
subscription
|
path | True |
string |
Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call. |
vault
|
path | True |
string |
Name of the vault Regex pattern: |
api-version
|
query | True |
string |
Client Api Version. |
Request Body
Name | Required | Type | Description |
---|---|---|---|
properties | True |
Properties of the access policy |
Responses
Name | Type | Description |
---|---|---|
200 OK |
The updated access policies |
|
201 Created |
The updated access policies |
|
Other Status Codes |
Error response describing why the operation failed. |
Examples
Add an access policy, or update an access policy with new permissions
Sample request
PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/add?api-version=2022-07-01
{
"properties": {
"accessPolicies": [
{
"tenantId": "00000000-0000-0000-0000-000000000000",
"objectId": "00000000-0000-0000-0000-000000000000",
"permissions": {
"keys": [
"encrypt"
],
"secrets": [
"get"
],
"certificates": [
"get"
]
}
}
]
}
}
Sample response
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"properties": {
"accessPolicies": [
{
"tenantId": "00000000-0000-0000-0000-000000000000",
"objectId": "00000000-0000-0000-0000-000000000000",
"permissions": {
"keys": [
"encrypt"
],
"secrets": [
"get"
],
"certificates": [
"get"
]
}
}
]
}
}
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"properties": {
"accessPolicies": [
{
"tenantId": "00000000-0000-0000-0000-000000000000",
"objectId": "00000000-0000-0000-0000-000000000000",
"permissions": {
"keys": [
"encrypt"
],
"secrets": [
"get"
],
"certificates": [
"get"
]
}
}
]
}
}
Definitions
Name | Description |
---|---|
Access |
An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. |
Access |
Name of the operation |
Certificate |
Permissions to certificates |
Cloud |
An error response from Key Vault resource provider |
Cloud |
An error response from Key Vault resource provider |
Key |
Permissions to keys |
Permissions |
Permissions the identity has for keys, secrets, certificates and storage. |
Secret |
Permissions to secrets |
Storage |
Permissions to storage accounts |
Vault |
Parameters for updating the access policy in a vault |
Vault |
Properties of the vault access policy |
AccessPolicyEntry
An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.
Name | Type | Description |
---|---|---|
applicationId |
string |
Application ID of the client making request on behalf of a principal |
objectId |
string |
The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. |
permissions |
Permissions the identity has for keys, secrets and certificates. |
|
tenantId |
string |
The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. |
AccessPolicyUpdateKind
Name of the operation
Name | Type | Description |
---|---|---|
add |
string |
|
remove |
string |
|
replace |
string |
CertificatePermissions
Permissions to certificates
Name | Type | Description |
---|---|---|
all |
string |
|
backup |
string |
|
create |
string |
|
delete |
string |
|
deleteissuers |
string |
|
get |
string |
|
getissuers |
string |
|
import |
string |
|
list |
string |
|
listissuers |
string |
|
managecontacts |
string |
|
manageissuers |
string |
|
purge |
string |
|
recover |
string |
|
restore |
string |
|
setissuers |
string |
|
update |
string |
CloudError
An error response from Key Vault resource provider
Name | Type | Description |
---|---|---|
error |
An error response from Key Vault resource provider |
CloudErrorBody
An error response from Key Vault resource provider
Name | Type | Description |
---|---|---|
code |
string |
Error code. This is a mnemonic that can be consumed programmatically. |
message |
string |
User friendly error message. The message is typically localized and may vary with service version. |
KeyPermissions
Permissions to keys
Name | Type | Description |
---|---|---|
all |
string |
|
backup |
string |
|
create |
string |
|
decrypt |
string |
|
delete |
string |
|
encrypt |
string |
|
get |
string |
|
getrotationpolicy |
string |
|
import |
string |
|
list |
string |
|
purge |
string |
|
recover |
string |
|
release |
string |
|
restore |
string |
|
rotate |
string |
|
setrotationpolicy |
string |
|
sign |
string |
|
unwrapKey |
string |
|
update |
string |
|
verify |
string |
|
wrapKey |
string |
Permissions
Permissions the identity has for keys, secrets, certificates and storage.
Name | Type | Description |
---|---|---|
certificates |
Permissions to certificates |
|
keys |
Permissions to keys |
|
secrets |
Permissions to secrets |
|
storage |
Permissions to storage accounts |
SecretPermissions
Permissions to secrets
Name | Type | Description |
---|---|---|
all |
string |
|
backup |
string |
|
delete |
string |
|
get |
string |
|
list |
string |
|
purge |
string |
|
recover |
string |
|
restore |
string |
|
set |
string |
StoragePermissions
Permissions to storage accounts
Name | Type | Description |
---|---|---|
all |
string |
|
backup |
string |
|
delete |
string |
|
deletesas |
string |
|
get |
string |
|
getsas |
string |
|
list |
string |
|
listsas |
string |
|
purge |
string |
|
recover |
string |
|
regeneratekey |
string |
|
restore |
string |
|
set |
string |
|
setsas |
string |
|
update |
string |
VaultAccessPolicyParameters
Parameters for updating the access policy in a vault
Name | Type | Description |
---|---|---|
id |
string |
The resource id of the access policy. |
location |
string |
The resource type of the access policy. |
name |
string |
The resource name of the access policy. |
properties |
Properties of the access policy |
|
type |
string |
The resource name of the access policy. |
VaultAccessPolicyProperties
Properties of the vault access policy
Name | Type | Description |
---|---|---|
accessPolicies |
An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. |