We recommend using Azure Native.
azure.keyvault.KeyVault
Explore with Pulumi AI
Manages a Key Vault.
Disclaimers
Note: It’s possible to define Key Vault Access Policies both within the
azure.keyvault.KeyVault
resource via theaccess_policy
block and by using theazure.keyvault.AccessPolicy
resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.
Note: It’s possible to define Key Vault Certificate Contacts both within the
azure.keyvault.KeyVault
resource via thecontact
block and by using theazure.keyvault.CertificateContacts
resource. However it’s not possible to use both methods to manage Certificate Contacts within a KeyVault, since there’ll be conflicts.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const current = azure.core.getClientConfig({});
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleKeyVault = new azure.keyvault.KeyVault("example", {
name: "examplekeyvault",
location: example.location,
resourceGroupName: example.name,
enabledForDiskEncryption: true,
tenantId: current.then(current => current.tenantId),
softDeleteRetentionDays: 7,
purgeProtectionEnabled: false,
skuName: "standard",
accessPolicies: [{
tenantId: current.then(current => current.tenantId),
objectId: current.then(current => current.objectId),
keyPermissions: ["Get"],
secretPermissions: ["Get"],
storagePermissions: ["Get"],
}],
});
import pulumi
import pulumi_azure as azure
current = azure.core.get_client_config()
example = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_key_vault = azure.keyvault.KeyVault("example",
name="examplekeyvault",
location=example.location,
resource_group_name=example.name,
enabled_for_disk_encryption=True,
tenant_id=current.tenant_id,
soft_delete_retention_days=7,
purge_protection_enabled=False,
sku_name="standard",
access_policies=[{
"tenant_id": current.tenant_id,
"object_id": current.object_id,
"key_permissions": ["Get"],
"secret_permissions": ["Get"],
"storage_permissions": ["Get"],
}])
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/keyvault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := core.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
_, err = keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
Name: pulumi.String("examplekeyvault"),
Location: example.Location,
ResourceGroupName: example.Name,
EnabledForDiskEncryption: pulumi.Bool(true),
TenantId: pulumi.String(current.TenantId),
SoftDeleteRetentionDays: pulumi.Int(7),
PurgeProtectionEnabled: pulumi.Bool(false),
SkuName: pulumi.String("standard"),
AccessPolicies: keyvault.KeyVaultAccessPolicyArray{
&keyvault.KeyVaultAccessPolicyArgs{
TenantId: pulumi.String(current.TenantId),
ObjectId: pulumi.String(current.ObjectId),
KeyPermissions: pulumi.StringArray{
pulumi.String("Get"),
},
SecretPermissions: pulumi.StringArray{
pulumi.String("Get"),
},
StoragePermissions: pulumi.StringArray{
pulumi.String("Get"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var current = Azure.Core.GetClientConfig.Invoke();
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
{
Name = "examplekeyvault",
Location = example.Location,
ResourceGroupName = example.Name,
EnabledForDiskEncryption = true,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
SoftDeleteRetentionDays = 7,
PurgeProtectionEnabled = false,
SkuName = "standard",
AccessPolicies = new[]
{
new Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
{
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
KeyPermissions = new[]
{
"Get",
},
SecretPermissions = new[]
{
"Get",
},
StoragePermissions = new[]
{
"Get",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.inputs.KeyVaultAccessPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getClientConfig();
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
.name("examplekeyvault")
.location(example.location())
.resourceGroupName(example.name())
.enabledForDiskEncryption(true)
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.softDeleteRetentionDays(7)
.purgeProtectionEnabled(false)
.skuName("standard")
.accessPolicies(KeyVaultAccessPolicyArgs.builder()
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.keyPermissions("Get")
.secretPermissions("Get")
.storagePermissions("Get")
.build())
.build());
}
}
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-resources
location: West Europe
exampleKeyVault:
type: azure:keyvault:KeyVault
name: example
properties:
name: examplekeyvault
location: ${example.location}
resourceGroupName: ${example.name}
enabledForDiskEncryption: true
tenantId: ${current.tenantId}
softDeleteRetentionDays: 7
purgeProtectionEnabled: false
skuName: standard
accessPolicies:
- tenantId: ${current.tenantId}
objectId: ${current.objectId}
keyPermissions:
- Get
secretPermissions:
- Get
storagePermissions:
- Get
variables:
current:
fn::invoke:
function: azure:core:getClientConfig
arguments: {}
Create KeyVault Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new KeyVault(name: string, args: KeyVaultArgs, opts?: CustomResourceOptions);
@overload
def KeyVault(resource_name: str,
args: KeyVaultArgs,
opts: Optional[ResourceOptions] = None)
@overload
def KeyVault(resource_name: str,
opts: Optional[ResourceOptions] = None,
resource_group_name: Optional[str] = None,
tenant_id: Optional[str] = None,
sku_name: Optional[str] = None,
enabled_for_disk_encryption: Optional[bool] = None,
access_policies: Optional[Sequence[KeyVaultAccessPolicyArgs]] = None,
enabled_for_template_deployment: Optional[bool] = None,
location: Optional[str] = None,
name: Optional[str] = None,
network_acls: Optional[KeyVaultNetworkAclsArgs] = None,
public_network_access_enabled: Optional[bool] = None,
purge_protection_enabled: Optional[bool] = None,
enabled_for_deployment: Optional[bool] = None,
enable_rbac_authorization: Optional[bool] = None,
soft_delete_retention_days: Optional[int] = None,
tags: Optional[Mapping[str, str]] = None,
contacts: Optional[Sequence[KeyVaultContactArgs]] = None)
func NewKeyVault(ctx *Context, name string, args KeyVaultArgs, opts ...ResourceOption) (*KeyVault, error)
public KeyVault(string name, KeyVaultArgs args, CustomResourceOptions? opts = null)
public KeyVault(String name, KeyVaultArgs args)
public KeyVault(String name, KeyVaultArgs args, CustomResourceOptions options)
type: azure:keyvault:KeyVault
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args KeyVaultArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args KeyVaultArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args KeyVaultArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args KeyVaultArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args KeyVaultArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var keyVaultResource = new Azure.KeyVault.KeyVault("keyVaultResource", new()
{
ResourceGroupName = "string",
TenantId = "string",
SkuName = "string",
EnabledForDiskEncryption = false,
AccessPolicies = new[]
{
new Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
{
ObjectId = "string",
TenantId = "string",
ApplicationId = "string",
CertificatePermissions = new[]
{
"string",
},
KeyPermissions = new[]
{
"string",
},
SecretPermissions = new[]
{
"string",
},
StoragePermissions = new[]
{
"string",
},
},
},
EnabledForTemplateDeployment = false,
Location = "string",
Name = "string",
NetworkAcls = new Azure.KeyVault.Inputs.KeyVaultNetworkAclsArgs
{
Bypass = "string",
DefaultAction = "string",
IpRules = new[]
{
"string",
},
VirtualNetworkSubnetIds = new[]
{
"string",
},
},
PublicNetworkAccessEnabled = false,
PurgeProtectionEnabled = false,
EnabledForDeployment = false,
EnableRbacAuthorization = false,
SoftDeleteRetentionDays = 0,
Tags =
{
{ "string", "string" },
},
});
example, err := keyvault.NewKeyVault(ctx, "keyVaultResource", &keyvault.KeyVaultArgs{
ResourceGroupName: pulumi.String("string"),
TenantId: pulumi.String("string"),
SkuName: pulumi.String("string"),
EnabledForDiskEncryption: pulumi.Bool(false),
AccessPolicies: keyvault.KeyVaultAccessPolicyArray{
&keyvault.KeyVaultAccessPolicyArgs{
ObjectId: pulumi.String("string"),
TenantId: pulumi.String("string"),
ApplicationId: pulumi.String("string"),
CertificatePermissions: pulumi.StringArray{
pulumi.String("string"),
},
KeyPermissions: pulumi.StringArray{
pulumi.String("string"),
},
SecretPermissions: pulumi.StringArray{
pulumi.String("string"),
},
StoragePermissions: pulumi.StringArray{
pulumi.String("string"),
},
},
},
EnabledForTemplateDeployment: pulumi.Bool(false),
Location: pulumi.String("string"),
Name: pulumi.String("string"),
NetworkAcls: &keyvault.KeyVaultNetworkAclsArgs{
Bypass: pulumi.String("string"),
DefaultAction: pulumi.String("string"),
IpRules: pulumi.StringArray{
pulumi.String("string"),
},
VirtualNetworkSubnetIds: pulumi.StringArray{
pulumi.String("string"),
},
},
PublicNetworkAccessEnabled: pulumi.Bool(false),
PurgeProtectionEnabled: pulumi.Bool(false),
EnabledForDeployment: pulumi.Bool(false),
EnableRbacAuthorization: pulumi.Bool(false),
SoftDeleteRetentionDays: pulumi.Int(0),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var keyVaultResource = new KeyVault("keyVaultResource", KeyVaultArgs.builder()
.resourceGroupName("string")
.tenantId("string")
.skuName("string")
.enabledForDiskEncryption(false)
.accessPolicies(KeyVaultAccessPolicyArgs.builder()
.objectId("string")
.tenantId("string")
.applicationId("string")
.certificatePermissions("string")
.keyPermissions("string")
.secretPermissions("string")
.storagePermissions("string")
.build())
.enabledForTemplateDeployment(false)
.location("string")
.name("string")
.networkAcls(KeyVaultNetworkAclsArgs.builder()
.bypass("string")
.defaultAction("string")
.ipRules("string")
.virtualNetworkSubnetIds("string")
.build())
.publicNetworkAccessEnabled(false)
.purgeProtectionEnabled(false)
.enabledForDeployment(false)
.enableRbacAuthorization(false)
.softDeleteRetentionDays(0)
.tags(Map.of("string", "string"))
.build());
key_vault_resource = azure.keyvault.KeyVault("keyVaultResource",
resource_group_name="string",
tenant_id="string",
sku_name="string",
enabled_for_disk_encryption=False,
access_policies=[{
"object_id": "string",
"tenant_id": "string",
"application_id": "string",
"certificate_permissions": ["string"],
"key_permissions": ["string"],
"secret_permissions": ["string"],
"storage_permissions": ["string"],
}],
enabled_for_template_deployment=False,
location="string",
name="string",
network_acls={
"bypass": "string",
"default_action": "string",
"ip_rules": ["string"],
"virtual_network_subnet_ids": ["string"],
},
public_network_access_enabled=False,
purge_protection_enabled=False,
enabled_for_deployment=False,
enable_rbac_authorization=False,
soft_delete_retention_days=0,
tags={
"string": "string",
})
const keyVaultResource = new azure.keyvault.KeyVault("keyVaultResource", {
resourceGroupName: "string",
tenantId: "string",
skuName: "string",
enabledForDiskEncryption: false,
accessPolicies: [{
objectId: "string",
tenantId: "string",
applicationId: "string",
certificatePermissions: ["string"],
keyPermissions: ["string"],
secretPermissions: ["string"],
storagePermissions: ["string"],
}],
enabledForTemplateDeployment: false,
location: "string",
name: "string",
networkAcls: {
bypass: "string",
defaultAction: "string",
ipRules: ["string"],
virtualNetworkSubnetIds: ["string"],
},
publicNetworkAccessEnabled: false,
purgeProtectionEnabled: false,
enabledForDeployment: false,
enableRbacAuthorization: false,
softDeleteRetentionDays: 0,
tags: {
string: "string",
},
});
type: azure:keyvault:KeyVault
properties:
accessPolicies:
- applicationId: string
certificatePermissions:
- string
keyPermissions:
- string
objectId: string
secretPermissions:
- string
storagePermissions:
- string
tenantId: string
enableRbacAuthorization: false
enabledForDeployment: false
enabledForDiskEncryption: false
enabledForTemplateDeployment: false
location: string
name: string
networkAcls:
bypass: string
defaultAction: string
ipRules:
- string
virtualNetworkSubnetIds:
- string
publicNetworkAccessEnabled: false
purgeProtectionEnabled: false
resourceGroupName: string
skuName: string
softDeleteRetentionDays: 0
tags:
string: string
tenantId: string
KeyVault Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The KeyVault resource accepts the following input properties:
- Resource
Group stringName - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- Sku
Name string - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - Tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- Access
Policies List<KeyVault Access Policy> A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- Contacts
List<Key
Vault Contact> - bool
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- Enabled
For boolDeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- Enabled
For boolDisk Encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- Enabled
For boolTemplate Deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- Location string
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- Name string
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- Network
Acls KeyVault Network Acls - A
network_acls
block as defined below. - Public
Network boolAccess Enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - Purge
Protection boolEnabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- Soft
Delete intRetention Days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- Dictionary<string, string>
- A mapping of tags to assign to the resource.
- Resource
Group stringName - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- Sku
Name string - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - Tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- Access
Policies []KeyVault Access Policy Args A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- Contacts
[]Key
Vault Contact Args - bool
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- Enabled
For boolDeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- Enabled
For boolDisk Encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- Enabled
For boolTemplate Deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- Location string
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- Name string
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- Network
Acls KeyVault Network Acls Args - A
network_acls
block as defined below. - Public
Network boolAccess Enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - Purge
Protection boolEnabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- Soft
Delete intRetention Days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- map[string]string
- A mapping of tags to assign to the resource.
- resource
Group StringName - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- sku
Name String - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - tenant
Id String - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- access
Policies List<KeyVault Access Policy> A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- contacts
List<Key
Vault Contact> - Boolean
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- enabled
For BooleanDeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- enabled
For BooleanDisk Encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- enabled
For BooleanTemplate Deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- location String
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- name String
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- network
Acls KeyVault Network Acls - A
network_acls
block as defined below. - public
Network BooleanAccess Enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - purge
Protection BooleanEnabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- soft
Delete IntegerRetention Days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- Map<String,String>
- A mapping of tags to assign to the resource.
- resource
Group stringName - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- sku
Name string - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- access
Policies KeyVault Access Policy[] A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- contacts
Key
Vault Contact[] - boolean
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- enabled
For booleanDeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- enabled
For booleanDisk Encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- enabled
For booleanTemplate Deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- location string
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- name string
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- network
Acls KeyVault Network Acls - A
network_acls
block as defined below. - public
Network booleanAccess Enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - purge
Protection booleanEnabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- soft
Delete numberRetention Days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- {[key: string]: string}
- A mapping of tags to assign to the resource.
- resource_
group_ strname - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- sku_
name str - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - tenant_
id str - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- access_
policies Sequence[KeyVault Access Policy Args] A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- contacts
Sequence[Key
Vault Contact Args] - bool
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- enabled_
for_ booldeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- enabled_
for_ booldisk_ encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- enabled_
for_ booltemplate_ deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- location str
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- name str
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- network_
acls KeyVault Network Acls Args - A
network_acls
block as defined below. - public_
network_ boolaccess_ enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - purge_
protection_ boolenabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- soft_
delete_ intretention_ days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- Mapping[str, str]
- A mapping of tags to assign to the resource.
- resource
Group StringName - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- sku
Name String - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - tenant
Id String - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- access
Policies List<Property Map> A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- contacts List<Property Map>
- Boolean
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- enabled
For BooleanDeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- enabled
For BooleanDisk Encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- enabled
For BooleanTemplate Deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- location String
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- name String
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- network
Acls Property Map - A
network_acls
block as defined below. - public
Network BooleanAccess Enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - purge
Protection BooleanEnabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- soft
Delete NumberRetention Days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- Map<String>
- A mapping of tags to assign to the resource.
Outputs
All input properties are implicitly available as output properties. Additionally, the KeyVault resource produces the following output properties:
Look up Existing KeyVault Resource
Get an existing KeyVault resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: KeyVaultState, opts?: CustomResourceOptions): KeyVault
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_policies: Optional[Sequence[KeyVaultAccessPolicyArgs]] = None,
contacts: Optional[Sequence[KeyVaultContactArgs]] = None,
enable_rbac_authorization: Optional[bool] = None,
enabled_for_deployment: Optional[bool] = None,
enabled_for_disk_encryption: Optional[bool] = None,
enabled_for_template_deployment: Optional[bool] = None,
location: Optional[str] = None,
name: Optional[str] = None,
network_acls: Optional[KeyVaultNetworkAclsArgs] = None,
public_network_access_enabled: Optional[bool] = None,
purge_protection_enabled: Optional[bool] = None,
resource_group_name: Optional[str] = None,
sku_name: Optional[str] = None,
soft_delete_retention_days: Optional[int] = None,
tags: Optional[Mapping[str, str]] = None,
tenant_id: Optional[str] = None,
vault_uri: Optional[str] = None) -> KeyVault
func GetKeyVault(ctx *Context, name string, id IDInput, state *KeyVaultState, opts ...ResourceOption) (*KeyVault, error)
public static KeyVault Get(string name, Input<string> id, KeyVaultState? state, CustomResourceOptions? opts = null)
public static KeyVault get(String name, Output<String> id, KeyVaultState state, CustomResourceOptions options)
resources: _: type: azure:keyvault:KeyVault get: id: ${id}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Policies List<KeyVault Access Policy> A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- Contacts
List<Key
Vault Contact> - bool
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- Enabled
For boolDeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- Enabled
For boolDisk Encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- Enabled
For boolTemplate Deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- Location string
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- Name string
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- Network
Acls KeyVault Network Acls - A
network_acls
block as defined below. - Public
Network boolAccess Enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - Purge
Protection boolEnabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- Resource
Group stringName - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- Sku
Name string - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - Soft
Delete intRetention Days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- Dictionary<string, string>
- A mapping of tags to assign to the resource.
- Tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- Vault
Uri string - The URI of the Key Vault, used for performing operations on keys and secrets.
- Access
Policies []KeyVault Access Policy Args A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- Contacts
[]Key
Vault Contact Args - bool
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- Enabled
For boolDeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- Enabled
For boolDisk Encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- Enabled
For boolTemplate Deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- Location string
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- Name string
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- Network
Acls KeyVault Network Acls Args - A
network_acls
block as defined below. - Public
Network boolAccess Enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - Purge
Protection boolEnabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- Resource
Group stringName - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- Sku
Name string - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - Soft
Delete intRetention Days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- map[string]string
- A mapping of tags to assign to the resource.
- Tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- Vault
Uri string - The URI of the Key Vault, used for performing operations on keys and secrets.
- access
Policies List<KeyVault Access Policy> A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- contacts
List<Key
Vault Contact> - Boolean
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- enabled
For BooleanDeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- enabled
For BooleanDisk Encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- enabled
For BooleanTemplate Deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- location String
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- name String
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- network
Acls KeyVault Network Acls - A
network_acls
block as defined below. - public
Network BooleanAccess Enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - purge
Protection BooleanEnabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- resource
Group StringName - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- sku
Name String - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - soft
Delete IntegerRetention Days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- Map<String,String>
- A mapping of tags to assign to the resource.
- tenant
Id String - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- vault
Uri String - The URI of the Key Vault, used for performing operations on keys and secrets.
- access
Policies KeyVault Access Policy[] A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- contacts
Key
Vault Contact[] - boolean
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- enabled
For booleanDeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- enabled
For booleanDisk Encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- enabled
For booleanTemplate Deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- location string
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- name string
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- network
Acls KeyVault Network Acls - A
network_acls
block as defined below. - public
Network booleanAccess Enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - purge
Protection booleanEnabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- resource
Group stringName - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- sku
Name string - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - soft
Delete numberRetention Days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- {[key: string]: string}
- A mapping of tags to assign to the resource.
- tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- vault
Uri string - The URI of the Key Vault, used for performing operations on keys and secrets.
- access_
policies Sequence[KeyVault Access Policy Args] A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- contacts
Sequence[Key
Vault Contact Args] - bool
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- enabled_
for_ booldeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- enabled_
for_ booldisk_ encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- enabled_
for_ booltemplate_ deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- location str
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- name str
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- network_
acls KeyVault Network Acls Args - A
network_acls
block as defined below. - public_
network_ boolaccess_ enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - purge_
protection_ boolenabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- resource_
group_ strname - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- sku_
name str - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - soft_
delete_ intretention_ days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- Mapping[str, str]
- A mapping of tags to assign to the resource.
- tenant_
id str - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- vault_
uri str - The URI of the Key Vault, used for performing operations on keys and secrets.
- access
Policies List<Property Map> A list of up to 1024 objects describing access policies, as described below.
NOTE Since
access_policy
can be configured both inline and via the separateazure.keyvault.AccessPolicy
resource, we have to explicitly set it to empty slice ([]
) to remove it.- contacts List<Property Map>
- Boolean
- Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
- enabled
For BooleanDeployment - Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
- enabled
For BooleanDisk Encryption - Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- enabled
For BooleanTemplate Deployment - Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
- location String
- Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
- name String
- Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
- network
Acls Property Map - A
network_acls
block as defined below. - public
Network BooleanAccess Enabled - Whether public network access is allowed for this Key Vault. Defaults to
true
. - purge
Protection BooleanEnabled Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).
- resource
Group StringName - The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
- sku
Name String - The Name of the SKU used for this Key Vault. Possible values are
standard
andpremium
. - soft
Delete NumberRetention Days The number of days that items should be retained for once soft-deleted. This value can be between
7
and90
(the default) days.Note: This field can only be configured one time and cannot be updated.
- Map<String>
- A mapping of tags to assign to the resource.
- tenant
Id String - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
- vault
Uri String - The URI of the Key Vault, used for performing operations on keys and secrets.
Supporting Types
KeyVaultAccessPolicy, KeyVaultAccessPolicyArgs
- Object
Id string - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- Tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the
tenant_id
used above. - Application
Id string - The object ID of an Application in Azure Active Directory.
- Certificate
Permissions List<string> - List of certificate permissions, must be one or more from the following:
Backup
,Create
,Delete
,DeleteIssuers
,Get
,GetIssuers
,Import
,List
,ListIssuers
,ManageContacts
,ManageIssuers
,Purge
,Recover
,Restore
,SetIssuers
andUpdate
. - Key
Permissions List<string> - List of key permissions. Possible values are
Backup
,Create
,Decrypt
,Delete
,Encrypt
,Get
,Import
,List
,Purge
,Recover
,Restore
,Sign
,UnwrapKey
,Update
,Verify
,WrapKey
,Release
,Rotate
,GetRotationPolicy
andSetRotationPolicy
. - Secret
Permissions List<string> - List of secret permissions, must be one or more from the following:
Backup
,Delete
,Get
,List
,Purge
,Recover
,Restore
andSet
. - Storage
Permissions List<string> - List of storage permissions, must be one or more from the following:
Backup
,Delete
,DeleteSAS
,Get
,GetSAS
,List
,ListSAS
,Purge
,Recover
,RegenerateKey
,Restore
,Set
,SetSAS
andUpdate
.
- Object
Id string - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- Tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the
tenant_id
used above. - Application
Id string - The object ID of an Application in Azure Active Directory.
- Certificate
Permissions []string - List of certificate permissions, must be one or more from the following:
Backup
,Create
,Delete
,DeleteIssuers
,Get
,GetIssuers
,Import
,List
,ListIssuers
,ManageContacts
,ManageIssuers
,Purge
,Recover
,Restore
,SetIssuers
andUpdate
. - Key
Permissions []string - List of key permissions. Possible values are
Backup
,Create
,Decrypt
,Delete
,Encrypt
,Get
,Import
,List
,Purge
,Recover
,Restore
,Sign
,UnwrapKey
,Update
,Verify
,WrapKey
,Release
,Rotate
,GetRotationPolicy
andSetRotationPolicy
. - Secret
Permissions []string - List of secret permissions, must be one or more from the following:
Backup
,Delete
,Get
,List
,Purge
,Recover
,Restore
andSet
. - Storage
Permissions []string - List of storage permissions, must be one or more from the following:
Backup
,Delete
,DeleteSAS
,Get
,GetSAS
,List
,ListSAS
,Purge
,Recover
,RegenerateKey
,Restore
,Set
,SetSAS
andUpdate
.
- object
Id String - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- tenant
Id String - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the
tenant_id
used above. - application
Id String - The object ID of an Application in Azure Active Directory.
- certificate
Permissions List<String> - List of certificate permissions, must be one or more from the following:
Backup
,Create
,Delete
,DeleteIssuers
,Get
,GetIssuers
,Import
,List
,ListIssuers
,ManageContacts
,ManageIssuers
,Purge
,Recover
,Restore
,SetIssuers
andUpdate
. - key
Permissions List<String> - List of key permissions. Possible values are
Backup
,Create
,Decrypt
,Delete
,Encrypt
,Get
,Import
,List
,Purge
,Recover
,Restore
,Sign
,UnwrapKey
,Update
,Verify
,WrapKey
,Release
,Rotate
,GetRotationPolicy
andSetRotationPolicy
. - secret
Permissions List<String> - List of secret permissions, must be one or more from the following:
Backup
,Delete
,Get
,List
,Purge
,Recover
,Restore
andSet
. - storage
Permissions List<String> - List of storage permissions, must be one or more from the following:
Backup
,Delete
,DeleteSAS
,Get
,GetSAS
,List
,ListSAS
,Purge
,Recover
,RegenerateKey
,Restore
,Set
,SetSAS
andUpdate
.
- object
Id string - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- tenant
Id string - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the
tenant_id
used above. - application
Id string - The object ID of an Application in Azure Active Directory.
- certificate
Permissions string[] - List of certificate permissions, must be one or more from the following:
Backup
,Create
,Delete
,DeleteIssuers
,Get
,GetIssuers
,Import
,List
,ListIssuers
,ManageContacts
,ManageIssuers
,Purge
,Recover
,Restore
,SetIssuers
andUpdate
. - key
Permissions string[] - List of key permissions. Possible values are
Backup
,Create
,Decrypt
,Delete
,Encrypt
,Get
,Import
,List
,Purge
,Recover
,Restore
,Sign
,UnwrapKey
,Update
,Verify
,WrapKey
,Release
,Rotate
,GetRotationPolicy
andSetRotationPolicy
. - secret
Permissions string[] - List of secret permissions, must be one or more from the following:
Backup
,Delete
,Get
,List
,Purge
,Recover
,Restore
andSet
. - storage
Permissions string[] - List of storage permissions, must be one or more from the following:
Backup
,Delete
,DeleteSAS
,Get
,GetSAS
,List
,ListSAS
,Purge
,Recover
,RegenerateKey
,Restore
,Set
,SetSAS
andUpdate
.
- object_
id str - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- tenant_
id str - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the
tenant_id
used above. - application_
id str - The object ID of an Application in Azure Active Directory.
- certificate_
permissions Sequence[str] - List of certificate permissions, must be one or more from the following:
Backup
,Create
,Delete
,DeleteIssuers
,Get
,GetIssuers
,Import
,List
,ListIssuers
,ManageContacts
,ManageIssuers
,Purge
,Recover
,Restore
,SetIssuers
andUpdate
. - key_
permissions Sequence[str] - List of key permissions. Possible values are
Backup
,Create
,Decrypt
,Delete
,Encrypt
,Get
,Import
,List
,Purge
,Recover
,Restore
,Sign
,UnwrapKey
,Update
,Verify
,WrapKey
,Release
,Rotate
,GetRotationPolicy
andSetRotationPolicy
. - secret_
permissions Sequence[str] - List of secret permissions, must be one or more from the following:
Backup
,Delete
,Get
,List
,Purge
,Recover
,Restore
andSet
. - storage_
permissions Sequence[str] - List of storage permissions, must be one or more from the following:
Backup
,Delete
,DeleteSAS
,Get
,GetSAS
,List
,ListSAS
,Purge
,Recover
,RegenerateKey
,Restore
,Set
,SetSAS
andUpdate
.
- object
Id String - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
- tenant
Id String - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the
tenant_id
used above. - application
Id String - The object ID of an Application in Azure Active Directory.
- certificate
Permissions List<String> - List of certificate permissions, must be one or more from the following:
Backup
,Create
,Delete
,DeleteIssuers
,Get
,GetIssuers
,Import
,List
,ListIssuers
,ManageContacts
,ManageIssuers
,Purge
,Recover
,Restore
,SetIssuers
andUpdate
. - key
Permissions List<String> - List of key permissions. Possible values are
Backup
,Create
,Decrypt
,Delete
,Encrypt
,Get
,Import
,List
,Purge
,Recover
,Restore
,Sign
,UnwrapKey
,Update
,Verify
,WrapKey
,Release
,Rotate
,GetRotationPolicy
andSetRotationPolicy
. - secret
Permissions List<String> - List of secret permissions, must be one or more from the following:
Backup
,Delete
,Get
,List
,Purge
,Recover
,Restore
andSet
. - storage
Permissions List<String> - List of storage permissions, must be one or more from the following:
Backup
,Delete
,DeleteSAS
,Get
,GetSAS
,List
,ListSAS
,Purge
,Recover
,RegenerateKey
,Restore
,Set
,SetSAS
andUpdate
.
KeyVaultContact, KeyVaultContactArgs
KeyVaultNetworkAcls, KeyVaultNetworkAclsArgs
- Bypass string
- Specifies which traffic can bypass the network rules. Possible values are
AzureServices
andNone
. - Default
Action string - The Default Action to use when no rules match from
ip_rules
/virtual_network_subnet_ids
. Possible values areAllow
andDeny
. - Ip
Rules List<string> - One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
- Virtual
Network List<string>Subnet Ids - One or more Subnet IDs which should be able to access this Key Vault.
- Bypass string
- Specifies which traffic can bypass the network rules. Possible values are
AzureServices
andNone
. - Default
Action string - The Default Action to use when no rules match from
ip_rules
/virtual_network_subnet_ids
. Possible values areAllow
andDeny
. - Ip
Rules []string - One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
- Virtual
Network []stringSubnet Ids - One or more Subnet IDs which should be able to access this Key Vault.
- bypass String
- Specifies which traffic can bypass the network rules. Possible values are
AzureServices
andNone
. - default
Action String - The Default Action to use when no rules match from
ip_rules
/virtual_network_subnet_ids
. Possible values areAllow
andDeny
. - ip
Rules List<String> - One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
- virtual
Network List<String>Subnet Ids - One or more Subnet IDs which should be able to access this Key Vault.
- bypass string
- Specifies which traffic can bypass the network rules. Possible values are
AzureServices
andNone
. - default
Action string - The Default Action to use when no rules match from
ip_rules
/virtual_network_subnet_ids
. Possible values areAllow
andDeny
. - ip
Rules string[] - One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
- virtual
Network string[]Subnet Ids - One or more Subnet IDs which should be able to access this Key Vault.
- bypass str
- Specifies which traffic can bypass the network rules. Possible values are
AzureServices
andNone
. - default_
action str - The Default Action to use when no rules match from
ip_rules
/virtual_network_subnet_ids
. Possible values areAllow
andDeny
. - ip_
rules Sequence[str] - One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
- virtual_
network_ Sequence[str]subnet_ ids - One or more Subnet IDs which should be able to access this Key Vault.
- bypass String
- Specifies which traffic can bypass the network rules. Possible values are
AzureServices
andNone
. - default
Action String - The Default Action to use when no rules match from
ip_rules
/virtual_network_subnet_ids
. Possible values areAllow
andDeny
. - ip
Rules List<String> - One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
- virtual
Network List<String>Subnet Ids - One or more Subnet IDs which should be able to access this Key Vault.
Import
Key Vault’s can be imported using the resource id
, e.g.
$ pulumi import azure:keyvault/keyVault:KeyVault example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/vault1
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurerm
Terraform Provider.