Azure Key Vault Key Vault

Microsoft.KeyVault/vaults (Azure Resource Manager)

The vaults in Microsoft.KeyVault can be configured in Azure Resource Manager with the resource name Microsoft.KeyVault/vaults. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

OTRF/Microsoft-Sentinel2Go

                            "type": "Microsoft.KeyVault/vaults",
                            "apiVersion": "2021-04-01-preview",
                            "name": "[parameters('KeyVaultNameStoringAppSecret')]",
                            "location": "[parameters('LocationNameOfKeyVaultStoringAppSecret')]",
                            "properties": {
                                "tenantId": "[subscription().tenantId]",

seanstark/Sentinel

                            "type": "Microsoft.KeyVault/vaults",
                            "apiVersion": "2021-04-01-preview",
                            "name": "[parameters('KeyVaultNameStoringAppSecret')]",
                            "location": "[parameters('LocationNameOfKeyVaultStoringAppSecret')]",
                            "properties": {
                                "tenantId": "[subscription().tenantId]",

VJchand-star/Azure

{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",

Parameters

• apiVersion required - string
• location required - string

  The supported Azure location where the key vault should be created.

• name required - string

  Name of the vault

• properties required
  • accessPolicies optional array
    • applicationId optional - string

      Application ID of the client making request on behalf of a principal

    • objectId required - string

      The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.

    • permissions required
      • certificates optional - array

        Permissions to certificates

      • keys optional - array

        Permissions to keys

      • secrets optional - array

        Permissions to secrets

      • storage optional - array

        Permissions to storage accounts

    • tenantId required - string

      The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

  • createMode optional - string

    The vault's create mode to indicate whether the vault need to be recovered or not.

  • enabledForDeployment optional - boolean

    Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.

  • enabledForDiskEncryption optional - boolean

    Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.

  • enabledForTemplateDeployment optional - boolean

    Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.

  • enablePurgeProtection optional - boolean

    Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value.

  • enableRbacAuthorization optional - boolean

    Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.

  • enableSoftDelete optional - boolean

    Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false.

  • networkAcls optional
    • bypass optional - string

      Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'.

    • defaultAction optional - string

      The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated.

    • ipRules optional array
      • value required - string

        An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78).

    • virtualNetworkRules optional array
      • id required - string

        Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'.

      • ignoreMissingVnetServiceEndpoint optional - boolean

        Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured.

  • provisioningState optional - string

    Provisioning state of the vault.

  • sku required
    • family required - string

      SKU family name

    • name required - string

      SKU name to specify whether the key vault is a standard vault or a premium vault.

  • softDeleteRetentionInDays optional - integer

    softDelete data retention days. It accepts >=7 and <=90.

  • tenantId required - string

    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

  • vaultUri optional - string

    The URI of the vault for performing operations on keys and secrets. This property is readonly

• tags optional - string

  The tags that will be assigned to the key vault.

• type required - string