Azure Classic

Pulumi Official
Package maintained by Pulumi
v5.8.0 published on Friday, May 27, 2022 by Pulumi

AccessPolicy

Manages a Key Vault Access Policy.

NOTE: It’s possible to define Key Vault Access Policies both within the azure.keyvault.KeyVault resource via the access_policy block and by using the azure.keyvault.AccessPolicy resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.

NOTE: Azure permits a maximum of 1024 Access Policies per Key Vault - more information can be found in this document.

Example Usage

using Pulumi;
using Azure = Pulumi.Azure;

class MyStack : Stack
{
    public MyStack()
    {
        var current = Output.Create(Azure.Core.GetClientConfig.InvokeAsync());
        var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new Azure.Core.ResourceGroupArgs
        {
            Location = "West Europe",
        });
        var exampleKeyVault = new Azure.KeyVault.KeyVault("exampleKeyVault", new Azure.KeyVault.KeyVaultArgs
        {
            Location = exampleResourceGroup.Location,
            ResourceGroupName = exampleResourceGroup.Name,
            TenantId = current.Apply(current => current.TenantId),
            SkuName = "premium",
        });
        var exampleAccessPolicy = new Azure.KeyVault.AccessPolicy("exampleAccessPolicy", new Azure.KeyVault.AccessPolicyArgs
        {
            KeyVaultId = exampleKeyVault.Id,
            TenantId = current.Apply(current => current.TenantId),
            ObjectId = current.Apply(current => current.ObjectId),
            KeyPermissions = 
            {
                "Get",
            },
            SecretPermissions = 
            {
                "Get",
            },
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/keyvault"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := core.GetClientConfig(ctx, nil, nil)
		if err != nil {
			return err
		}
		exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
			Location: pulumi.String("West Europe"),
		})
		if err != nil {
			return err
		}
		exampleKeyVault, err := keyvault.NewKeyVault(ctx, "exampleKeyVault", &keyvault.KeyVaultArgs{
			Location:          exampleResourceGroup.Location,
			ResourceGroupName: exampleResourceGroup.Name,
			TenantId:          pulumi.String(current.TenantId),
			SkuName:           pulumi.String("premium"),
		})
		if err != nil {
			return err
		}
		_, err = keyvault.NewAccessPolicy(ctx, "exampleAccessPolicy", &keyvault.AccessPolicyArgs{
			KeyVaultId: exampleKeyVault.ID(),
			TenantId:   pulumi.String(current.TenantId),
			ObjectId:   pulumi.String(current.ObjectId),
			KeyPermissions: pulumi.StringArray{
				pulumi.String("Get"),
			},
			SecretPermissions: pulumi.StringArray{
				pulumi.String("Get"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = Output.of(CoreFunctions.getClientConfig());

        var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()        
            .location("West Europe")
            .build());

        var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()        
            .location(exampleResourceGroup.location())
            .resourceGroupName(exampleResourceGroup.name())
            .tenantId(current.apply(getClientConfigResult -> getClientConfigResult.tenantId()))
            .skuName("premium")
            .build());

        var exampleAccessPolicy = new AccessPolicy("exampleAccessPolicy", AccessPolicyArgs.builder()        
            .keyVaultId(exampleKeyVault.id())
            .tenantId(current.apply(getClientConfigResult -> getClientConfigResult.tenantId()))
            .objectId(current.apply(getClientConfigResult -> getClientConfigResult.objectId()))
            .keyPermissions("Get")
            .secretPermissions("Get")
            .build());

    }
}
import pulumi
import pulumi_azure as azure

current = azure.core.get_client_config()
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    tenant_id=current.tenant_id,
    sku_name="premium")
example_access_policy = azure.keyvault.AccessPolicy("exampleAccessPolicy",
    key_vault_id=example_key_vault.id,
    tenant_id=current.tenant_id,
    object_id=current.object_id,
    key_permissions=["Get"],
    secret_permissions=["Get"])
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const current = azure.core.getClientConfig({});
const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleKeyVault = new azure.keyvault.KeyVault("exampleKeyVault", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    tenantId: current.then(current => current.tenantId),
    skuName: "premium",
});
const exampleAccessPolicy = new azure.keyvault.AccessPolicy("exampleAccessPolicy", {
    keyVaultId: exampleKeyVault.id,
    tenantId: current.then(current => current.tenantId),
    objectId: current.then(current => current.objectId),
    keyPermissions: ["Get"],
    secretPermissions: ["Get"],
});
resources:
  exampleResourceGroup:
    type: azure:core:ResourceGroup
    properties:
      location: West Europe
  exampleKeyVault:
    type: azure:keyvault:KeyVault
    properties:
      location: ${exampleResourceGroup.location}
      resourceGroupName: ${exampleResourceGroup.name}
      tenantId: ${current.tenantId}
      skuName: premium
  exampleAccessPolicy:
    type: azure:keyvault:AccessPolicy
    properties:
      keyVaultId: ${exampleKeyVault.id}
      tenantId: ${current.tenantId}
      objectId: ${current.objectId}
      keyPermissions:
        - Get
      secretPermissions:
        - Get
variables:
  current:
    Fn::Invoke:
      Function: azure:core:getClientConfig
      Arguments: {}

Create a AccessPolicy Resource

new AccessPolicy(name: string, args: AccessPolicyArgs, opts?: CustomResourceOptions);
@overload
def AccessPolicy(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 application_id: Optional[str] = None,
                 certificate_permissions: Optional[Sequence[str]] = None,
                 key_permissions: Optional[Sequence[str]] = None,
                 key_vault_id: Optional[str] = None,
                 object_id: Optional[str] = None,
                 secret_permissions: Optional[Sequence[str]] = None,
                 storage_permissions: Optional[Sequence[str]] = None,
                 tenant_id: Optional[str] = None)
@overload
def AccessPolicy(resource_name: str,
                 args: AccessPolicyArgs,
                 opts: Optional[ResourceOptions] = None)
func NewAccessPolicy(ctx *Context, name string, args AccessPolicyArgs, opts ...ResourceOption) (*AccessPolicy, error)
public AccessPolicy(string name, AccessPolicyArgs args, CustomResourceOptions? opts = null)
public AccessPolicy(String name, AccessPolicyArgs args)
public AccessPolicy(String name, AccessPolicyArgs args, CustomResourceOptions options)
type: azure:keyvault:AccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AccessPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AccessPolicy resource accepts the following input properties:

KeyVaultId string

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

ObjectId string

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

TenantId string

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

ApplicationId string

The object ID of an Application in Azure Active Directory.

CertificatePermissions List<string>

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

KeyPermissions List<string>

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

SecretPermissions List<string>

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

StoragePermissions List<string>

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

KeyVaultId string

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

ObjectId string

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

TenantId string

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

ApplicationId string

The object ID of an Application in Azure Active Directory.

CertificatePermissions []string

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

KeyPermissions []string

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

SecretPermissions []string

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

StoragePermissions []string

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

keyVaultId String

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

objectId String

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

tenantId String

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

applicationId String

The object ID of an Application in Azure Active Directory.

certificatePermissions List<String>

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

keyPermissions List<String>

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

secretPermissions List<String>

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

storagePermissions List<String>

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

keyVaultId string

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

objectId string

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

tenantId string

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

applicationId string

The object ID of an Application in Azure Active Directory.

certificatePermissions string[]

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

keyPermissions string[]

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

secretPermissions string[]

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

storagePermissions string[]

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

key_vault_id str

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

object_id str

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

tenant_id str

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

application_id str

The object ID of an Application in Azure Active Directory.

certificate_permissions Sequence[str]

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

key_permissions Sequence[str]

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

secret_permissions Sequence[str]

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

storage_permissions Sequence[str]

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

keyVaultId String

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

objectId String

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

tenantId String

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

applicationId String

The object ID of an Application in Azure Active Directory.

certificatePermissions List<String>

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

keyPermissions List<String>

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

secretPermissions List<String>

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

storagePermissions List<String>

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessPolicy resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up an Existing AccessPolicy Resource

Get an existing AccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessPolicyState, opts?: CustomResourceOptions): AccessPolicy
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        application_id: Optional[str] = None,
        certificate_permissions: Optional[Sequence[str]] = None,
        key_permissions: Optional[Sequence[str]] = None,
        key_vault_id: Optional[str] = None,
        object_id: Optional[str] = None,
        secret_permissions: Optional[Sequence[str]] = None,
        storage_permissions: Optional[Sequence[str]] = None,
        tenant_id: Optional[str] = None) -> AccessPolicy
func GetAccessPolicy(ctx *Context, name string, id IDInput, state *AccessPolicyState, opts ...ResourceOption) (*AccessPolicy, error)
public static AccessPolicy Get(string name, Input<string> id, AccessPolicyState? state, CustomResourceOptions? opts = null)
public static AccessPolicy get(String name, Output<String> id, AccessPolicyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
ApplicationId string

The object ID of an Application in Azure Active Directory.

CertificatePermissions List<string>

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

KeyPermissions List<string>

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

KeyVaultId string

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

ObjectId string

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

SecretPermissions List<string>

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

StoragePermissions List<string>

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

TenantId string

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

ApplicationId string

The object ID of an Application in Azure Active Directory.

CertificatePermissions []string

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

KeyPermissions []string

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

KeyVaultId string

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

ObjectId string

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

SecretPermissions []string

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

StoragePermissions []string

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

TenantId string

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

applicationId String

The object ID of an Application in Azure Active Directory.

certificatePermissions List<String>

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

keyPermissions List<String>

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

keyVaultId String

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

objectId String

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

secretPermissions List<String>

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

storagePermissions List<String>

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

tenantId String

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

applicationId string

The object ID of an Application in Azure Active Directory.

certificatePermissions string[]

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

keyPermissions string[]

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

keyVaultId string

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

objectId string

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

secretPermissions string[]

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

storagePermissions string[]

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

tenantId string

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

application_id str

The object ID of an Application in Azure Active Directory.

certificate_permissions Sequence[str]

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

key_permissions Sequence[str]

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

key_vault_id str

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

object_id str

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

secret_permissions Sequence[str]

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

storage_permissions Sequence[str]

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

tenant_id str

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

applicationId String

The object ID of an Application in Azure Active Directory.

certificatePermissions List<String>

List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.

keyPermissions List<String>

List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.

keyVaultId String

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

objectId String

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

secretPermissions List<String>

List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.

storagePermissions List<String>

List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

tenantId String

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

Import

Key Vault Access Policies can be imported using the Resource ID of the Key Vault, plus some additional metadata. If both an object_id and application_id are specified, then the Access Policy can be imported using the following code

 $ pulumi import azure:keyvault/accessPolicy:AccessPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111/applicationId/22222222-2222-2222-2222-222222222222

where 11111111-1111-1111-1111-111111111111 is the object_id and 22222222-2222-2222-2222-222222222222 is the application_id. — Access Policies with an object_id but no application_id can be imported using the following command

 $ pulumi import azure:keyvault/accessPolicy:AccessPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111

where 11111111-1111-1111-1111-111111111111 is the object_id.

Package Details

Repository
https://github.com/pulumi/pulumi-azure
License
Apache-2.0
Notes

This Pulumi package is based on the azurerm Terraform Provider.