This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
Azure Native v3.13.0 published on Wednesday, Jan 28, 2026 by Pulumi
This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
Azure Native v3.13.0 published on Wednesday, Jan 28, 2026 by Pulumi
Key Vault Access Policy for managing policies on existing vaults.
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:keyvault:AccessPolicy myresource1 /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicy/{policy.objectId}
Create AccessPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AccessPolicy(name: string, args: AccessPolicyArgs, opts?: CustomResourceOptions);@overload
def AccessPolicy(resource_name: str,
args: AccessPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AccessPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
policy: Optional[AccessPolicyEntryArgs] = None,
resource_group_name: Optional[str] = None,
vault_name: Optional[str] = None)func NewAccessPolicy(ctx *Context, name string, args AccessPolicyArgs, opts ...ResourceOption) (*AccessPolicy, error)public AccessPolicy(string name, AccessPolicyArgs args, CustomResourceOptions? opts = null)
public AccessPolicy(String name, AccessPolicyArgs args)
public AccessPolicy(String name, AccessPolicyArgs args, CustomResourceOptions options)
type: azure-native:keyvault:AccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AccessPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AccessPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AccessPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AccessPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AccessPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var accessPolicyResource = new AzureNative.KeyVault.AccessPolicy("accessPolicyResource", new()
{
Policy = new AzureNative.KeyVault.Inputs.AccessPolicyEntryArgs
{
ObjectId = "string",
Permissions = new AzureNative.KeyVault.Inputs.PermissionsArgs
{
Certificates = new[]
{
"string",
},
Keys = new[]
{
"string",
},
Secrets = new[]
{
"string",
},
Storage = new[]
{
"string",
},
},
TenantId = "string",
ApplicationId = "string",
},
ResourceGroupName = "string",
VaultName = "string",
});
example, err := keyvault.NewAccessPolicy(ctx, "accessPolicyResource", &keyvault.AccessPolicyArgs{
Policy: &keyvault.AccessPolicyEntryArgs{
ObjectId: pulumi.String("string"),
Permissions: &keyvault.PermissionsArgs{
Certificates: pulumi.StringArray{
pulumi.String("string"),
},
Keys: pulumi.StringArray{
pulumi.String("string"),
},
Secrets: pulumi.StringArray{
pulumi.String("string"),
},
Storage: pulumi.StringArray{
pulumi.String("string"),
},
},
TenantId: pulumi.String("string"),
ApplicationId: pulumi.String("string"),
},
ResourceGroupName: pulumi.String("string"),
VaultName: pulumi.String("string"),
})
var accessPolicyResource = new com.pulumi.azurenative.keyvault.AccessPolicy("accessPolicyResource", com.pulumi.azurenative.keyvault.AccessPolicyArgs.builder()
.policy(AccessPolicyEntryArgs.builder()
.objectId("string")
.permissions(PermissionsArgs.builder()
.certificates("string")
.keys("string")
.secrets("string")
.storage("string")
.build())
.tenantId("string")
.applicationId("string")
.build())
.resourceGroupName("string")
.vaultName("string")
.build());
access_policy_resource = azure_native.keyvault.AccessPolicy("accessPolicyResource",
policy={
"object_id": "string",
"permissions": {
"certificates": ["string"],
"keys": ["string"],
"secrets": ["string"],
"storage": ["string"],
},
"tenant_id": "string",
"application_id": "string",
},
resource_group_name="string",
vault_name="string")
const accessPolicyResource = new azure_native.keyvault.AccessPolicy("accessPolicyResource", {
policy: {
objectId: "string",
permissions: {
certificates: ["string"],
keys: ["string"],
secrets: ["string"],
storage: ["string"],
},
tenantId: "string",
applicationId: "string",
},
resourceGroupName: "string",
vaultName: "string",
});
type: azure-native:keyvault:AccessPolicy
properties:
policy:
applicationId: string
objectId: string
permissions:
certificates:
- string
keys:
- string
secrets:
- string
storage:
- string
tenantId: string
resourceGroupName: string
vaultName: string
AccessPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AccessPolicy resource accepts the following input properties:
- Policy
Pulumi.
Azure Native. Key Vault. Inputs. Access Policy Entry - The definition of the access policy.
- Resource
Group stringName - Name of the resource group that contains the vault.
- Vault
Name string - Name of the Key Vault.
- Policy
Access
Policy Entry Args - The definition of the access policy.
- Resource
Group stringName - Name of the resource group that contains the vault.
- Vault
Name string - Name of the Key Vault.
- policy
Access
Policy Entry - The definition of the access policy.
- resource
Group StringName - Name of the resource group that contains the vault.
- vault
Name String - Name of the Key Vault.
- policy
Access
Policy Entry - The definition of the access policy.
- resource
Group stringName - Name of the resource group that contains the vault.
- vault
Name string - Name of the Key Vault.
- policy
Access
Policy Entry Args - The definition of the access policy.
- resource_
group_ strname - Name of the resource group that contains the vault.
- vault_
name str - Name of the Key Vault.
- policy Property Map
- The definition of the access policy.
- resource
Group StringName - Name of the resource group that contains the vault.
- vault
Name String - Name of the Key Vault.
Outputs
All input properties are implicitly available as output properties. Additionally, the AccessPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Supporting Types
AccessPolicyEntry, AccessPolicyEntryArgs
An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.- Object
Id string - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- Permissions
Pulumi.
Azure Native. Key Vault. Inputs. Permissions - Permissions the identity has for keys, secrets and certificates.
- Tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- Application
Id string - Application ID of the client making request on behalf of a principal
- Object
Id string - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- Permissions Permissions
- Permissions the identity has for keys, secrets and certificates.
- Tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- Application
Id string - Application ID of the client making request on behalf of a principal
- object
Id String - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- permissions Permissions
- Permissions the identity has for keys, secrets and certificates.
- tenant
Id String - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- application
Id String - Application ID of the client making request on behalf of a principal
- object
Id string - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- permissions Permissions
- Permissions the identity has for keys, secrets and certificates.
- tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- application
Id string - Application ID of the client making request on behalf of a principal
- object_
id str - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- permissions Permissions
- Permissions the identity has for keys, secrets and certificates.
- tenant_
id str - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- application_
id str - Application ID of the client making request on behalf of a principal
- object
Id String - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- permissions Property Map
- Permissions the identity has for keys, secrets and certificates.
- tenant
Id String - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- application
Id String - Application ID of the client making request on behalf of a principal
CertificatePermissions, CertificatePermissionsArgs
- All
all- @Get
get- List
list- Delete
delete- Create
create- Import
import- Update
update- Managecontacts
managecontacts- Getissuers
getissuers- Listissuers
listissuers- Setissuers
setissuers- Deleteissuers
deleteissuers- Manageissuers
manageissuers- Recover
recover- Purge
purge- Backup
backup- Restore
restore
- Certificate
Permissions All all- Certificate
Permissions Get get- Certificate
Permissions List list- Certificate
Permissions Delete delete- Certificate
Permissions Create create- Certificate
Permissions Import import- Certificate
Permissions Update update- Certificate
Permissions Managecontacts managecontacts- Certificate
Permissions Getissuers getissuers- Certificate
Permissions Listissuers listissuers- Certificate
Permissions Setissuers setissuers- Certificate
Permissions Deleteissuers deleteissuers- Certificate
Permissions Manageissuers manageissuers- Certificate
Permissions Recover recover- Certificate
Permissions Purge purge- Certificate
Permissions Backup backup- Certificate
Permissions Restore restore
- All
all- Get
get- List
list- Delete
delete- Create
create- Import_
import- Update
update- Managecontacts
managecontacts- Getissuers
getissuers- Listissuers
listissuers- Setissuers
setissuers- Deleteissuers
deleteissuers- Manageissuers
manageissuers- Recover
recover- Purge
purge- Backup
backup- Restore
restore
- All
all- Get
get- List
list- Delete
delete- Create
create- Import
import- Update
update- Managecontacts
managecontacts- Getissuers
getissuers- Listissuers
listissuers- Setissuers
setissuers- Deleteissuers
deleteissuers- Manageissuers
manageissuers- Recover
recover- Purge
purge- Backup
backup- Restore
restore
- ALL
all- GET
get- LIST
list- DELETE
delete- CREATE
create- IMPORT_
import- UPDATE
update- MANAGECONTACTS
managecontacts- GETISSUERS
getissuers- LISTISSUERS
listissuers- SETISSUERS
setissuers- DELETEISSUERS
deleteissuers- MANAGEISSUERS
manageissuers- RECOVER
recover- PURGE
purge- BACKUP
backup- RESTORE
restore
- "all"
all- "get"
get- "list"
list- "delete"
delete- "create"
create- "import"
import- "update"
update- "managecontacts"
managecontacts- "getissuers"
getissuers- "listissuers"
listissuers- "setissuers"
setissuers- "deleteissuers"
deleteissuers- "manageissuers"
manageissuers- "recover"
recover- "purge"
purge- "backup"
backup- "restore"
restore
KeyPermissions, KeyPermissionsArgs
- All
all- Encrypt
encrypt- Decrypt
decrypt- Wrap
Key wrapKey- Unwrap
Key unwrapKey- Sign
sign- Verify
verify- @Get
get- List
list- Create
create- Update
update- Import
import- Delete
delete- Backup
backup- Restore
restore- Recover
recover- Purge
purge- Release
release- Rotate
rotate- Getrotationpolicy
getrotationpolicy- Setrotationpolicy
setrotationpolicy
- Key
Permissions All all- Key
Permissions Encrypt encrypt- Key
Permissions Decrypt decrypt- Key
Permissions Wrap Key wrapKey- Key
Permissions Unwrap Key unwrapKey- Key
Permissions Sign sign- Key
Permissions Verify verify- Key
Permissions Get get- Key
Permissions List list- Key
Permissions Create create- Key
Permissions Update update- Key
Permissions Import import- Key
Permissions Delete delete- Key
Permissions Backup backup- Key
Permissions Restore restore- Key
Permissions Recover recover- Key
Permissions Purge purge- Key
Permissions Release release- Key
Permissions Rotate rotate- Key
Permissions Getrotationpolicy getrotationpolicy- Key
Permissions Setrotationpolicy setrotationpolicy
- All
all- Encrypt
encrypt- Decrypt
decrypt- Wrap
Key wrapKey- Unwrap
Key unwrapKey- Sign
sign- Verify
verify- Get
get- List
list- Create
create- Update
update- Import_
import- Delete
delete- Backup
backup- Restore
restore- Recover
recover- Purge
purge- Release
release- Rotate
rotate- Getrotationpolicy
getrotationpolicy- Setrotationpolicy
setrotationpolicy
- All
all- Encrypt
encrypt- Decrypt
decrypt- Wrap
Key wrapKey- Unwrap
Key unwrapKey- Sign
sign- Verify
verify- Get
get- List
list- Create
create- Update
update- Import
import- Delete
delete- Backup
backup- Restore
restore- Recover
recover- Purge
purge- Release
release- Rotate
rotate- Getrotationpolicy
getrotationpolicy- Setrotationpolicy
setrotationpolicy
- ALL
all- ENCRYPT
encrypt- DECRYPT
decrypt- WRAP_KEY
wrapKey- UNWRAP_KEY
unwrapKey- SIGN
sign- VERIFY
verify- GET
get- LIST
list- CREATE
create- UPDATE
update- IMPORT_
import- DELETE
delete- BACKUP
backup- RESTORE
restore- RECOVER
recover- PURGE
purge- RELEASE
release- ROTATE
rotate- GETROTATIONPOLICY
getrotationpolicy- SETROTATIONPOLICY
setrotationpolicy
- "all"
all- "encrypt"
encrypt- "decrypt"
decrypt- "wrap
Key" wrapKey- "unwrap
Key" unwrapKey- "sign"
sign- "verify"
verify- "get"
get- "list"
list- "create"
create- "update"
update- "import"
import- "delete"
delete- "backup"
backup- "restore"
restore- "recover"
recover- "purge"
purge- "release"
release- "rotate"
rotate- "getrotationpolicy"
getrotationpolicy- "setrotationpolicy"
setrotationpolicy
Permissions, PermissionsArgs
Permissions the identity has for keys, secrets, certificates and storage.- Certificates
List<Union<string, Pulumi.
Azure Native. Key Vault. Certificate Permissions>> - Permissions to certificates
- Keys
List<Union<string, Pulumi.
Azure Native. Key Vault. Key Permissions>> - Permissions to keys
- Secrets
List<Union<string, Pulumi.
Azure Native. Key Vault. Secret Permissions>> - Permissions to secrets
- Storage
List<Union<string, Pulumi.
Azure Native. Key Vault. Storage Permissions>> - Permissions to storage accounts
- Certificates []string
- Permissions to certificates
- Keys []string
- Permissions to keys
- Secrets []string
- Permissions to secrets
- Storage []string
- Permissions to storage accounts
- certificates
List<Either<String,Certificate
Permissions>> - Permissions to certificates
- keys
List<Either<String,Key
Permissions>> - Permissions to keys
- secrets
List<Either<String,Secret
Permissions>> - Permissions to secrets
- storage
List<Either<String,Storage
Permissions>> - Permissions to storage accounts
- certificates
(string | Certificate
Permissions)[] - Permissions to certificates
- keys
(string | Key
Permissions)[] - Permissions to keys
- secrets
(string | Secret
Permissions)[] - Permissions to secrets
- storage
(string | Storage
Permissions)[] - Permissions to storage accounts
- certificates
Sequence[Union[str, Certificate
Permissions]] - Permissions to certificates
- keys
Sequence[Union[str, Key
Permissions]] - Permissions to keys
- secrets
Sequence[Union[str, Secret
Permissions]] - Permissions to secrets
- storage
Sequence[Union[str, Storage
Permissions]] - Permissions to storage accounts
- certificates List<String | "all" | "get" | "list" | "delete" | "create" | "import" | "update" | "managecontacts" | "getissuers" | "listissuers" | "setissuers" | "deleteissuers" | "manageissuers" | "recover" | "purge" | "backup" | "restore">
- Permissions to certificates
- keys
List<String | "all" | "encrypt" | "decrypt" | "wrap
Key" | "unwrap Key" | "sign" | "verify" | "get" | "list" | "create" | "update" | "import" | "delete" | "backup" | "restore" | "recover" | "purge" | "release" | "rotate" | "getrotationpolicy" | "setrotationpolicy"> - Permissions to keys
- secrets List<String | "all" | "get" | "list" | "set" | "delete" | "backup" | "restore" | "recover" | "purge">
- Permissions to secrets
- storage List<String | "all" | "get" | "list" | "delete" | "set" | "update" | "regeneratekey" | "recover" | "purge" | "backup" | "restore" | "setsas" | "listsas" | "getsas" | "deletesas">
- Permissions to storage accounts
SecretPermissions, SecretPermissionsArgs
- All
all- @Get
get- List
list- @Set
set- Delete
delete- Backup
backup- Restore
restore- Recover
recover- Purge
purge
- Secret
Permissions All all- Secret
Permissions Get get- Secret
Permissions List list- Secret
Permissions Set set- Secret
Permissions Delete delete- Secret
Permissions Backup backup- Secret
Permissions Restore restore- Secret
Permissions Recover recover- Secret
Permissions Purge purge
- All
all- Get
get- List
list- Set
set- Delete
delete- Backup
backup- Restore
restore- Recover
recover- Purge
purge
- All
all- Get
get- List
list- Set
set- Delete
delete- Backup
backup- Restore
restore- Recover
recover- Purge
purge
- ALL
all- GET
get- LIST
list- SET
set- DELETE
delete- BACKUP
backup- RESTORE
restore- RECOVER
recover- PURGE
purge
- "all"
all- "get"
get- "list"
list- "set"
set- "delete"
delete- "backup"
backup- "restore"
restore- "recover"
recover- "purge"
purge
StoragePermissions, StoragePermissionsArgs
- All
all- @Get
get- List
list- Delete
delete- @Set
set- Update
update- Regeneratekey
regeneratekey- Recover
recover- Purge
purge- Backup
backup- Restore
restore- Setsas
setsas- Listsas
listsas- Getsas
getsas- Deletesas
deletesas
- Storage
Permissions All all- Storage
Permissions Get get- Storage
Permissions List list- Storage
Permissions Delete delete- Storage
Permissions Set set- Storage
Permissions Update update- Storage
Permissions Regeneratekey regeneratekey- Storage
Permissions Recover recover- Storage
Permissions Purge purge- Storage
Permissions Backup backup- Storage
Permissions Restore restore- Storage
Permissions Setsas setsas- Storage
Permissions Listsas listsas- Storage
Permissions Getsas getsas- Storage
Permissions Deletesas deletesas
- All
all- Get
get- List
list- Delete
delete- Set
set- Update
update- Regeneratekey
regeneratekey- Recover
recover- Purge
purge- Backup
backup- Restore
restore- Setsas
setsas- Listsas
listsas- Getsas
getsas- Deletesas
deletesas
- All
all- Get
get- List
list- Delete
delete- Set
set- Update
update- Regeneratekey
regeneratekey- Recover
recover- Purge
purge- Backup
backup- Restore
restore- Setsas
setsas- Listsas
listsas- Getsas
getsas- Deletesas
deletesas
- ALL
all- GET
get- LIST
list- DELETE
delete- SET
set- UPDATE
update- REGENERATEKEY
regeneratekey- RECOVER
recover- PURGE
purge- BACKUP
backup- RESTORE
restore- SETSAS
setsas- LISTSAS
listsas- GETSAS
getsas- DELETESAS
deletesas
- "all"
all- "get"
get- "list"
list- "delete"
delete- "set"
set- "update"
update- "regeneratekey"
regeneratekey- "recover"
recover- "purge"
purge- "backup"
backup- "restore"
restore- "setsas"
setsas- "listsas"
listsas- "getsas"
getsas- "deletesas"
deletesas
Package Details
- Repository
- Azure Native pulumi/pulumi-azure-native
- License
- Apache-2.0
This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
Azure Native v3.13.0 published on Wednesday, Jan 28, 2026 by Pulumi
