Accounts - Change Key Vault

Service:: Azure NetApp Files

API Version:: 2025-12-01

Affects existing volumes that are encrypted with Key Vault/Managed HSM, and new volumes. Supports HSM to Key Vault, Key Vault to HSM, HSM to HSM and Key Vault to Key Vault.

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.NetApp/netAppAccounts/{accountName}/changeKeyVault?api-version=2025-12-01

URI Parameters

Name	In	Required	Type	Description
accountName	path	True	string pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-_]{0,127}$	The name of the NetApp account
resourceGroupName	path	True	string minLength: 1 maxLength: 90	The name of the resource group. The name is case insensitive.
subscriptionId	path	True	string (uuid)	The ID of the target subscription. The value must be an UUID.
api-version	query	True	string minLength: 1	The API version to use for this operation.

Request Body

Name	Required	Type	Description
keyName	True	string	The name of the key that should be used for encryption.
keyVaultPrivateEndpoints	True	KeyVaultPrivateEndpoint[]	Pairs of virtual network ID and private endpoint ID. Every virtual network that has volumes encrypted with customer-managed keys needs its own key vault private endpoint.
keyVaultUri	True	string (uri)	The URI of the key vault/managed HSM that should be used for encryption.
keyVaultResourceId		string (arm-id)	Azure resource ID of the key vault/managed HSM that should be used for encryption.

Responses

Name

Type

Description

202 Accepted

Resource operation accepted.

Headers

Location: string
Retry-After: integer

Other Status Codes

An unexpected error response.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Accounts_ChangeKeyVault

Sample request

POST https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.NetApp/netAppAccounts/account1/changeKeyVault?api-version=2025-12-01

{
  "keyName": "rsakey",
  "keyVaultPrivateEndpoints": [
    {
      "privateEndpointId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/privateEndpoints/privip1",
      "virtualNetworkId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworks/vnet1"
    }
  ],
  "keyVaultResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.KeyVault/managedHSMs/my-hsm",
  "keyVaultUri": "https://my-key-vault.managedhsm.azure.net"
}


import com.azure.resourcemanager.netapp.models.ChangeKeyVault;
import com.azure.resourcemanager.netapp.models.KeyVaultPrivateEndpoint;
import java.util.Arrays;

/**
 * Samples for Accounts ChangeKeyVault.
 */
public final class Main {
    /*
     * x-ms-original-file: 2025-12-01/Accounts_ChangeKeyVault.json
     */
    /**
     * Sample code: Accounts_ChangeKeyVault.
     * 
     * @param manager Entry point to NetAppFilesManager.
     */
    public static void accountsChangeKeyVault(com.azure.resourcemanager.netapp.NetAppFilesManager manager) {
        manager.accounts().changeKeyVault("myRG", "account1", new ChangeKeyVault()
            .withKeyVaultUri("fakeTokenPlaceholder").withKeyName("fakeTokenPlaceholder")
            .withKeyVaultResourceId("fakeTokenPlaceholder")
            .withKeyVaultPrivateEndpoints(Arrays.asList(new KeyVaultPrivateEndpoint().withVirtualNetworkId(
                "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworks/vnet1")
                .withPrivateEndpointId(
                    "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/privateEndpoints/privip1"))),
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential

from azure.mgmt.netapp import NetAppManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-netapp
# USAGE
    python accounts_change_key_vault.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = NetAppManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="SUBSCRIPTION_ID",
    )

    client.accounts.begin_change_key_vault(
        resource_group_name="myRG",
        account_name="account1",
    ).result()


# x-ms-original-file: 2025-12-01/Accounts_ChangeKeyVault.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armnetapp_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/netapp/armnetapp/v9"
)

// Generated from example definition: 2025-12-01/Accounts_ChangeKeyVault.json
func ExampleAccountsClient_BeginChangeKeyVault() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armnetapp.NewClientFactory("00000000-0000-0000-0000-000000000000", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	poller, err := clientFactory.NewAccountsClient().BeginChangeKeyVault(ctx, "myRG", "account1", &armnetapp.AccountsClientBeginChangeKeyVaultOptions{
		Body: &armnetapp.ChangeKeyVault{
			KeyName: to.Ptr("rsakey"),
			KeyVaultPrivateEndpoints: []*armnetapp.KeyVaultPrivateEndpoint{
				{
					PrivateEndpointID: to.Ptr("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/privateEndpoints/privip1"),
					VirtualNetworkID:  to.Ptr("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworks/vnet1"),
				},
			},
			KeyVaultResourceID: to.Ptr("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.KeyVault/managedHSMs/my-hsm"),
			KeyVaultURI:        to.Ptr("https://my-key-vault.managedhsm.azure.net"),
		}})
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	_, err = poller.PollUntilDone(ctx, nil)
	if err != nil {
		log.Fatalf("failed to pull the result: %v", err)
	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { NetAppManagementClient } = require("@azure/arm-netapp");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to affects existing volumes that are encrypted with Key Vault/Managed HSM, and new volumes. Supports HSM to Key Vault, Key Vault to HSM, HSM to HSM and Key Vault to Key Vault.
 *
 * @summary affects existing volumes that are encrypted with Key Vault/Managed HSM, and new volumes. Supports HSM to Key Vault, Key Vault to HSM, HSM to HSM and Key Vault to Key Vault.
 * x-ms-original-file: 2025-12-01/Accounts_ChangeKeyVault.json
 */
async function accountsChangeKeyVault() {
  const credential = new DefaultAzureCredential();
  const subscriptionId = "00000000-0000-0000-0000-000000000000";
  const client = new NetAppManagementClient(credential, subscriptionId);
  await client.accounts.changeKeyVault("myRG", "account1", {
    body: {
      keyName: "rsakey",
      keyVaultPrivateEndpoints: [
        {
          privateEndpointId:
            "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/privateEndpoints/privip1",
          virtualNetworkId:
            "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworks/vnet1",
        },
      ],
      keyVaultResourceId:
        "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.KeyVault/managedHSMs/my-hsm",
      keyVaultUri: "https://my-key-vault.managedhsm.azure.net",
    },
  });
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.NetApp.Models;
using Azure.ResourceManager.NetApp;

// Generated from example definition: specification/netapp/resource-manager/Microsoft.NetApp/NetApp/stable/2025-12-01/examples/Accounts_ChangeKeyVault.json
// this example is just showing the usage of "Accounts_ChangeKeyVault" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this NetAppAccountResource created on azure
// for more information of creating NetAppAccountResource, please refer to the document of NetAppAccountResource
string subscriptionId = "00000000-0000-0000-0000-000000000000";
string resourceGroupName = "myRG";
string accountName = "account1";
ResourceIdentifier netAppAccountResourceId = NetAppAccountResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, accountName);
NetAppAccountResource netAppAccount = client.GetNetAppAccountResource(netAppAccountResourceId);

// invoke the operation
NetAppChangeKeyVault body = new NetAppChangeKeyVault(new Uri("https://my-key-vault.managedhsm.azure.net"), "rsakey", new NetAppKeyVaultPrivateEndpoint[]
{
new NetAppKeyVaultPrivateEndpoint
{
VirtualNetworkId = new ResourceIdentifier("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworks/vnet1"),
PrivateEndpointId = new ResourceIdentifier("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Network/privateEndpoints/privip1"),
}
})
{
    KeyVaultResourceId = new ResourceIdentifier("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.KeyVault/managedHSMs/my-hsm"),
};
await netAppAccount.ChangeKeyVaultAsync(WaitUntil.Completed, body: body);

Console.WriteLine("Succeeded");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 202

Location: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.NetApp/locations/eastus/operationResults/a0216c17-f9d6-4b99-9faf-9ebd4883d0e4?api-version=2025-12-01&operationResultResponseType=Location

Definitions

Name	Description
ChangeKeyVault	Change key vault request
ErrorAdditionalInfo	The resource management error additional info.
ErrorDetail	The error detail.
ErrorResponse	Error response
KeyVaultPrivateEndpoint	Pairs of virtual network ID and private endpoint ID. Every virtual network that has volumes encrypted with customer-managed keys needs its own key vault private endpoint.

ChangeKeyVault

Object

Change key vault request

Name	Type	Description
keyName	string	The name of the key that should be used for encryption.
keyVaultPrivateEndpoints	KeyVaultPrivateEndpoint[]	Pairs of virtual network ID and private endpoint ID. Every virtual network that has volumes encrypted with customer-managed keys needs its own key vault private endpoint.
keyVaultResourceId	string (arm-id)	Azure resource ID of the key vault/managed HSM that should be used for encryption.
keyVaultUri	string (uri)	The URI of the key vault/managed HSM that should be used for encryption.

ErrorAdditionalInfo

Object

The resource management error additional info.

Name	Type	Description
info	object	The additional info.
type	string	The additional info type.

ErrorDetail

Object

The error detail.

Name	Type	Description
additionalInfo	ErrorAdditionalInfo[]	The error additional info.
code	string	The error code.
details	ErrorDetail[]	The error details.
message	string	The error message.
target	string	The error target.

ErrorResponse

Object

Error response

Name	Type	Description
error	ErrorDetail	The error object.

KeyVaultPrivateEndpoint

Object

Pairs of virtual network ID and private endpoint ID. Every virtual network that has volumes encrypted with customer-managed keys needs its own key vault private endpoint.

Name	Type	Description
privateEndpointId	string (arm-id)	Identifier of the private endpoint to reach the Azure Key Vault
virtualNetworkId	string (arm-id)	Identifier for the virtual network id