azure.keyvault.KeyVault (v4)

Azure v4.42.0 (4.x), Mar 9 26

We recommend using Azure Native.

Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-azure

We recommend using Azure Native.

Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-azure

Disclaimers

Note: It’s possible to define Key Vault Access Policies both within the azure.keyvault.KeyVault resource via the access_policy block and by using the azure.keyvault.AccessPolicy resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.

Note: This provider will automatically recover a soft-deleted Key Vault during Creation if one is found - you can opt out of this using the features configuration within the Provider configuration block.

Example Usage

using Pulumi;
using Azure = Pulumi.Azure;

class MyStack : Stack
{
    public MyStack()
    {
        var current = Output.Create(Azure.Core.GetClientConfig.InvokeAsync());
        var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new Azure.Core.ResourceGroupArgs
        {
            Location = "West Europe",
        });
        var exampleKeyVault = new Azure.KeyVault.KeyVault("exampleKeyVault", new Azure.KeyVault.KeyVaultArgs
        {
            Location = exampleResourceGroup.Location,
            ResourceGroupName = exampleResourceGroup.Name,
            EnabledForDiskEncryption = true,
            TenantId = current.Apply(current => current.TenantId),
            SoftDeleteRetentionDays = 7,
            PurgeProtectionEnabled = false,
            SkuName = "standard",
            AccessPolicies = 
            {
                new Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
                {
                    TenantId = current.Apply(current => current.TenantId),
                    ObjectId = current.Apply(current => current.ObjectId),
                    KeyPermissions = 
                    {
                        "Get",
                    },
                    SecretPermissions = 
                    {
                        "Get",
                    },
                    StoragePermissions = 
                    {
                        "Get",
                    },
                },
            },
        });
    }

}

package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/keyvault"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := core.GetClientConfig(ctx, nil, nil)
		if err != nil {
			return err
		}
		exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
			Location: pulumi.String("West Europe"),
		})
		if err != nil {
			return err
		}
		_, err = keyvault.NewKeyVault(ctx, "exampleKeyVault", &keyvault.KeyVaultArgs{
			Location:                 exampleResourceGroup.Location,
			ResourceGroupName:        exampleResourceGroup.Name,
			EnabledForDiskEncryption: pulumi.Bool(true),
			TenantId:                 pulumi.String(current.TenantId),
			SoftDeleteRetentionDays:  pulumi.Int(7),
			PurgeProtectionEnabled:   pulumi.Bool(false),
			SkuName:                  pulumi.String("standard"),
			AccessPolicies: keyvault.KeyVaultAccessPolicyArray{
				&keyvault.KeyVaultAccessPolicyArgs{
					TenantId: pulumi.String(current.TenantId),
					ObjectId: pulumi.String(current.ObjectId),
					KeyPermissions: pulumi.StringArray{
						pulumi.String("Get"),
					},
					SecretPermissions: pulumi.StringArray{
						pulumi.String("Get"),
					},
					StoragePermissions: pulumi.StringArray{
						pulumi.String("Get"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

Example coming soon!

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const current = azure.core.getClientConfig({});
const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleKeyVault = new azure.keyvault.KeyVault("exampleKeyVault", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    enabledForDiskEncryption: true,
    tenantId: current.then(current => current.tenantId),
    softDeleteRetentionDays: 7,
    purgeProtectionEnabled: false,
    skuName: "standard",
    accessPolicies: [{
        tenantId: current.then(current => current.tenantId),
        objectId: current.then(current => current.objectId),
        keyPermissions: ["Get"],
        secretPermissions: ["Get"],
        storagePermissions: ["Get"],
    }],
});

import pulumi
import pulumi_azure as azure

current = azure.core.get_client_config()
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    enabled_for_disk_encryption=True,
    tenant_id=current.tenant_id,
    soft_delete_retention_days=7,
    purge_protection_enabled=False,
    sku_name="standard",
    access_policies=[azure.keyvault.KeyVaultAccessPolicyArgs(
        tenant_id=current.tenant_id,
        object_id=current.object_id,
        key_permissions=["Get"],
        secret_permissions=["Get"],
        storage_permissions=["Get"],
    )])

Example coming soon!

Create KeyVault Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new KeyVault(name: string, args: KeyVaultArgs, opts?: CustomResourceOptions);

@overload
def KeyVault(resource_name: str,
             args: KeyVaultArgs,
             opts: Optional[ResourceOptions] = None)

@overload
def KeyVault(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             resource_group_name: Optional[str] = None,
             tenant_id: Optional[str] = None,
             sku_name: Optional[str] = None,
             network_acls: Optional[KeyVaultNetworkAclsArgs] = None,
             enabled_for_disk_encryption: Optional[bool] = None,
             enabled_for_template_deployment: Optional[bool] = None,
             location: Optional[str] = None,
             name: Optional[str] = None,
             access_policies: Optional[Sequence[KeyVaultAccessPolicyArgs]] = None,
             purge_protection_enabled: Optional[bool] = None,
             enabled_for_deployment: Optional[bool] = None,
             enable_rbac_authorization: Optional[bool] = None,
             soft_delete_enabled: Optional[bool] = None,
             soft_delete_retention_days: Optional[int] = None,
             tags: Optional[Mapping[str, str]] = None,
             contacts: Optional[Sequence[KeyVaultContactArgs]] = None)

func NewKeyVault(ctx *Context, name string, args KeyVaultArgs, opts ...ResourceOption) (*KeyVault, error)

public KeyVault(string name, KeyVaultArgs args, CustomResourceOptions? opts = null)

public KeyVault(String name, KeyVaultArgs args)
public KeyVault(String name, KeyVaultArgs args, CustomResourceOptions options)

type: azure:keyvault:KeyVault
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args KeyVaultArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args KeyVaultArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args KeyVaultArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args KeyVaultArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args KeyVaultArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var keyVaultResource = new Azure.KeyVault.KeyVault("keyVaultResource", new()
{
    ResourceGroupName = "string",
    TenantId = "string",
    SkuName = "string",
    NetworkAcls = new Azure.KeyVault.Inputs.KeyVaultNetworkAclsArgs
    {
        Bypass = "string",
        DefaultAction = "string",
        IpRules = new[]
        {
            "string",
        },
        VirtualNetworkSubnetIds = new[]
        {
            "string",
        },
    },
    EnabledForDiskEncryption = false,
    EnabledForTemplateDeployment = false,
    Location = "string",
    Name = "string",
    AccessPolicies = new[]
    {
        new Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
        {
            ObjectId = "string",
            TenantId = "string",
            ApplicationId = "string",
            CertificatePermissions = new[]
            {
                "string",
            },
            KeyPermissions = new[]
            {
                "string",
            },
            SecretPermissions = new[]
            {
                "string",
            },
            StoragePermissions = new[]
            {
                "string",
            },
        },
    },
    PurgeProtectionEnabled = false,
    EnabledForDeployment = false,
    EnableRbacAuthorization = false,
    SoftDeleteRetentionDays = 0,
    Tags = 
    {
        { "string", "string" },
    },
    Contacts = new[]
    {
        new Azure.KeyVault.Inputs.KeyVaultContactArgs
        {
            Email = "string",
            Name = "string",
            Phone = "string",
        },
    },
});

example, err := keyvault.NewKeyVault(ctx, "keyVaultResource", &keyvault.KeyVaultArgs{
	ResourceGroupName: pulumi.String("string"),
	TenantId:          pulumi.String("string"),
	SkuName:           pulumi.String("string"),
	NetworkAcls: &keyvault.KeyVaultNetworkAclsArgs{
		Bypass:        pulumi.String("string"),
		DefaultAction: pulumi.String("string"),
		IpRules: pulumi.StringArray{
			pulumi.String("string"),
		},
		VirtualNetworkSubnetIds: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	EnabledForDiskEncryption:     pulumi.Bool(false),
	EnabledForTemplateDeployment: pulumi.Bool(false),
	Location:                     pulumi.String("string"),
	Name:                         pulumi.String("string"),
	AccessPolicies: keyvault.KeyVaultAccessPolicyArray{
		&keyvault.KeyVaultAccessPolicyArgs{
			ObjectId:      pulumi.String("string"),
			TenantId:      pulumi.String("string"),
			ApplicationId: pulumi.String("string"),
			CertificatePermissions: pulumi.StringArray{
				pulumi.String("string"),
			},
			KeyPermissions: pulumi.StringArray{
				pulumi.String("string"),
			},
			SecretPermissions: pulumi.StringArray{
				pulumi.String("string"),
			},
			StoragePermissions: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	PurgeProtectionEnabled:  pulumi.Bool(false),
	EnabledForDeployment:    pulumi.Bool(false),
	EnableRbacAuthorization: pulumi.Bool(false),
	SoftDeleteRetentionDays: pulumi.Int(0),
	Tags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	Contacts: keyvault.KeyVaultContactArray{
		&keyvault.KeyVaultContactArgs{
			Email: pulumi.String("string"),
			Name:  pulumi.String("string"),
			Phone: pulumi.String("string"),
		},
	},
})

var keyVaultResource = new KeyVault("keyVaultResource", KeyVaultArgs.builder()
    .resourceGroupName("string")
    .tenantId("string")
    .skuName("string")
    .networkAcls(KeyVaultNetworkAclsArgs.builder()
        .bypass("string")
        .defaultAction("string")
        .ipRules("string")
        .virtualNetworkSubnetIds("string")
        .build())
    .enabledForDiskEncryption(false)
    .enabledForTemplateDeployment(false)
    .location("string")
    .name("string")
    .accessPolicies(KeyVaultAccessPolicyArgs.builder()
        .objectId("string")
        .tenantId("string")
        .applicationId("string")
        .certificatePermissions("string")
        .keyPermissions("string")
        .secretPermissions("string")
        .storagePermissions("string")
        .build())
    .purgeProtectionEnabled(false)
    .enabledForDeployment(false)
    .enableRbacAuthorization(false)
    .softDeleteRetentionDays(0)
    .tags(Map.of("string", "string"))
    .contacts(KeyVaultContactArgs.builder()
        .email("string")
        .name("string")
        .phone("string")
        .build())
    .build());

key_vault_resource = azure.keyvault.KeyVault("keyVaultResource",
    resource_group_name="string",
    tenant_id="string",
    sku_name="string",
    network_acls={
        "bypass": "string",
        "default_action": "string",
        "ip_rules": ["string"],
        "virtual_network_subnet_ids": ["string"],
    },
    enabled_for_disk_encryption=False,
    enabled_for_template_deployment=False,
    location="string",
    name="string",
    access_policies=[{
        "object_id": "string",
        "tenant_id": "string",
        "application_id": "string",
        "certificate_permissions": ["string"],
        "key_permissions": ["string"],
        "secret_permissions": ["string"],
        "storage_permissions": ["string"],
    }],
    purge_protection_enabled=False,
    enabled_for_deployment=False,
    enable_rbac_authorization=False,
    soft_delete_retention_days=0,
    tags={
        "string": "string",
    },
    contacts=[{
        "email": "string",
        "name": "string",
        "phone": "string",
    }])

const keyVaultResource = new azure.keyvault.KeyVault("keyVaultResource", {
    resourceGroupName: "string",
    tenantId: "string",
    skuName: "string",
    networkAcls: {
        bypass: "string",
        defaultAction: "string",
        ipRules: ["string"],
        virtualNetworkSubnetIds: ["string"],
    },
    enabledForDiskEncryption: false,
    enabledForTemplateDeployment: false,
    location: "string",
    name: "string",
    accessPolicies: [{
        objectId: "string",
        tenantId: "string",
        applicationId: "string",
        certificatePermissions: ["string"],
        keyPermissions: ["string"],
        secretPermissions: ["string"],
        storagePermissions: ["string"],
    }],
    purgeProtectionEnabled: false,
    enabledForDeployment: false,
    enableRbacAuthorization: false,
    softDeleteRetentionDays: 0,
    tags: {
        string: "string",
    },
    contacts: [{
        email: "string",
        name: "string",
        phone: "string",
    }],
});

type: azure:keyvault:KeyVault
properties:
    accessPolicies:
        - applicationId: string
          certificatePermissions:
            - string
          keyPermissions:
            - string
          objectId: string
          secretPermissions:
            - string
          storagePermissions:
            - string
          tenantId: string
    contacts:
        - email: string
          name: string
          phone: string
    enableRbacAuthorization: false
    enabledForDeployment: false
    enabledForDiskEncryption: false
    enabledForTemplateDeployment: false
    location: string
    name: string
    networkAcls:
        bypass: string
        defaultAction: string
        ipRules:
            - string
        virtualNetworkSubnetIds:
            - string
    purgeProtectionEnabled: false
    resourceGroupName: string
    skuName: string
    softDeleteRetentionDays: 0
    tags:
        string: string
    tenantId: string

KeyVault Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The KeyVault resource accepts the following input properties:

ResourceGroupName string: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
SkuName string: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
TenantId string: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
AccessPolicies List<KeyVaultAccessPolicy>: A list of up to 16 objects describing access policies, as described below.
Contacts List<KeyVaultContact>: One or more contact block as defined below.
EnableRbacAuthorization bool: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
EnabledForDeployment bool: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
EnabledForDiskEncryption bool: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
EnabledForTemplateDeployment bool: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
Location string: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
Name string: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
NetworkAcls KeyVaultNetworkAcls: A network_acls block as defined below.
PurgeProtectionEnabled bool: Is Purge Protection enabled for this Key Vault? Defaults to false.
SoftDeleteEnabled bool: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
SoftDeleteRetentionDays int: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
Tags Dictionary<string, string>: A mapping of tags to assign to the resource.

ResourceGroupName string: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
SkuName string: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
TenantId string: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
AccessPolicies []KeyVaultAccessPolicyArgs: A list of up to 16 objects describing access policies, as described below.
Contacts []KeyVaultContactArgs: One or more contact block as defined below.
EnableRbacAuthorization bool: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
EnabledForDeployment bool: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
EnabledForDiskEncryption bool: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
EnabledForTemplateDeployment bool: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
Location string: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
Name string: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
NetworkAcls KeyVaultNetworkAclsArgs: A network_acls block as defined below.
PurgeProtectionEnabled bool: Is Purge Protection enabled for this Key Vault? Defaults to false.
SoftDeleteEnabled bool: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
SoftDeleteRetentionDays int: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
Tags map[string]string: A mapping of tags to assign to the resource.

resourceGroupName String: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
skuName String: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
tenantId String: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
accessPolicies List<KeyVaultAccessPolicy>: A list of up to 16 objects describing access policies, as described below.
contacts List<KeyVaultContact>: One or more contact block as defined below.
enableRbacAuthorization Boolean: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
enabledForDeployment Boolean: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
enabledForDiskEncryption Boolean: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
enabledForTemplateDeployment Boolean: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
location String: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
name String: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
networkAcls KeyVaultNetworkAcls: A network_acls block as defined below.
purgeProtectionEnabled Boolean: Is Purge Protection enabled for this Key Vault? Defaults to false.
softDeleteEnabled Boolean: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
softDeleteRetentionDays Integer: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
tags Map<String,String>: A mapping of tags to assign to the resource.

resourceGroupName string: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
skuName string: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
tenantId string: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
accessPolicies KeyVaultAccessPolicy[]: A list of up to 16 objects describing access policies, as described below.
contacts KeyVaultContact[]: One or more contact block as defined below.
enableRbacAuthorization boolean: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
enabledForDeployment boolean: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
enabledForDiskEncryption boolean: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
enabledForTemplateDeployment boolean: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
location string: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
name string: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
networkAcls KeyVaultNetworkAcls: A network_acls block as defined below.
purgeProtectionEnabled boolean: Is Purge Protection enabled for this Key Vault? Defaults to false.
softDeleteEnabled boolean: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
softDeleteRetentionDays number: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
tags {[key: string]: string}: A mapping of tags to assign to the resource.

resource_group_name str: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
sku_name str: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
tenant_id str: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
access_policies Sequence[KeyVaultAccessPolicyArgs]: A list of up to 16 objects describing access policies, as described below.
contacts Sequence[KeyVaultContactArgs]: One or more contact block as defined below.
enable_rbac_authorization bool: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
enabled_for_deployment bool: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
enabled_for_disk_encryption bool: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
enabled_for_template_deployment bool: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
location str: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
name str: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
network_acls KeyVaultNetworkAclsArgs: A network_acls block as defined below.
purge_protection_enabled bool: Is Purge Protection enabled for this Key Vault? Defaults to false.
soft_delete_enabled bool: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
soft_delete_retention_days int: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
tags Mapping[str, str]: A mapping of tags to assign to the resource.

resourceGroupName String: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
skuName String: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
tenantId String: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
accessPolicies List<Property Map>: A list of up to 16 objects describing access policies, as described below.
contacts List<Property Map>: One or more contact block as defined below.
enableRbacAuthorization Boolean: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
enabledForDeployment Boolean: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
enabledForDiskEncryption Boolean: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
enabledForTemplateDeployment Boolean: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
location String: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
name String: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
networkAcls Property Map: A network_acls block as defined below.
purgeProtectionEnabled Boolean: Is Purge Protection enabled for this Key Vault? Defaults to false.
softDeleteEnabled Boolean: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
softDeleteRetentionDays Number: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
tags Map<String>: A mapping of tags to assign to the resource.

Outputs

All input properties are implicitly available as output properties. Additionally, the KeyVault resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
VaultUri string: The URI of the Key Vault, used for performing operations on keys and secrets.

Id string: The provider-assigned unique ID for this managed resource.
VaultUri string: The URI of the Key Vault, used for performing operations on keys and secrets.

id String: The provider-assigned unique ID for this managed resource.
vaultUri String: The URI of the Key Vault, used for performing operations on keys and secrets.

id string: The provider-assigned unique ID for this managed resource.
vaultUri string: The URI of the Key Vault, used for performing operations on keys and secrets.

id str: The provider-assigned unique ID for this managed resource.
vault_uri str: The URI of the Key Vault, used for performing operations on keys and secrets.

id String: The provider-assigned unique ID for this managed resource.
vaultUri String: The URI of the Key Vault, used for performing operations on keys and secrets.

Look up Existing KeyVault Resource

Get an existing KeyVault resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: KeyVaultState, opts?: CustomResourceOptions): KeyVault

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_policies: Optional[Sequence[KeyVaultAccessPolicyArgs]] = None,
        contacts: Optional[Sequence[KeyVaultContactArgs]] = None,
        enable_rbac_authorization: Optional[bool] = None,
        enabled_for_deployment: Optional[bool] = None,
        enabled_for_disk_encryption: Optional[bool] = None,
        enabled_for_template_deployment: Optional[bool] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        network_acls: Optional[KeyVaultNetworkAclsArgs] = None,
        purge_protection_enabled: Optional[bool] = None,
        resource_group_name: Optional[str] = None,
        sku_name: Optional[str] = None,
        soft_delete_enabled: Optional[bool] = None,
        soft_delete_retention_days: Optional[int] = None,
        tags: Optional[Mapping[str, str]] = None,
        tenant_id: Optional[str] = None,
        vault_uri: Optional[str] = None) -> KeyVault

func GetKeyVault(ctx *Context, name string, id IDInput, state *KeyVaultState, opts ...ResourceOption) (*KeyVault, error)

public static KeyVault Get(string name, Input<string> id, KeyVaultState? state, CustomResourceOptions? opts = null)

public static KeyVault get(String name, Output<String> id, KeyVaultState state, CustomResourceOptions options)

resources:  _:    type: azure:keyvault:KeyVault    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessPolicies List<KeyVaultAccessPolicy>: A list of up to 16 objects describing access policies, as described below.
Contacts List<KeyVaultContact>: One or more contact block as defined below.
EnableRbacAuthorization bool: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
EnabledForDeployment bool: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
EnabledForDiskEncryption bool: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
EnabledForTemplateDeployment bool: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
Location string: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
Name string: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
NetworkAcls KeyVaultNetworkAcls: A network_acls block as defined below.
PurgeProtectionEnabled bool: Is Purge Protection enabled for this Key Vault? Defaults to false.
ResourceGroupName string: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
SkuName string: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
SoftDeleteEnabled bool: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
SoftDeleteRetentionDays int: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
Tags Dictionary<string, string>: A mapping of tags to assign to the resource.
TenantId string: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
VaultUri string: The URI of the Key Vault, used for performing operations on keys and secrets.

AccessPolicies []KeyVaultAccessPolicyArgs: A list of up to 16 objects describing access policies, as described below.
Contacts []KeyVaultContactArgs: One or more contact block as defined below.
EnableRbacAuthorization bool: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
EnabledForDeployment bool: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
EnabledForDiskEncryption bool: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
EnabledForTemplateDeployment bool: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
Location string: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
Name string: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
NetworkAcls KeyVaultNetworkAclsArgs: A network_acls block as defined below.
PurgeProtectionEnabled bool: Is Purge Protection enabled for this Key Vault? Defaults to false.
ResourceGroupName string: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
SkuName string: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
SoftDeleteEnabled bool: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
SoftDeleteRetentionDays int: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
Tags map[string]string: A mapping of tags to assign to the resource.
TenantId string: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
VaultUri string: The URI of the Key Vault, used for performing operations on keys and secrets.

accessPolicies List<KeyVaultAccessPolicy>: A list of up to 16 objects describing access policies, as described below.
contacts List<KeyVaultContact>: One or more contact block as defined below.
enableRbacAuthorization Boolean: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
enabledForDeployment Boolean: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
enabledForDiskEncryption Boolean: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
enabledForTemplateDeployment Boolean: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
location String: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
name String: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
networkAcls KeyVaultNetworkAcls: A network_acls block as defined below.
purgeProtectionEnabled Boolean: Is Purge Protection enabled for this Key Vault? Defaults to false.
resourceGroupName String: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
skuName String: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
softDeleteEnabled Boolean: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
softDeleteRetentionDays Integer: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
tags Map<String,String>: A mapping of tags to assign to the resource.
tenantId String: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
vaultUri String: The URI of the Key Vault, used for performing operations on keys and secrets.

accessPolicies KeyVaultAccessPolicy[]: A list of up to 16 objects describing access policies, as described below.
contacts KeyVaultContact[]: One or more contact block as defined below.
enableRbacAuthorization boolean: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
enabledForDeployment boolean: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
enabledForDiskEncryption boolean: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
enabledForTemplateDeployment boolean: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
location string: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
name string: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
networkAcls KeyVaultNetworkAcls: A network_acls block as defined below.
purgeProtectionEnabled boolean: Is Purge Protection enabled for this Key Vault? Defaults to false.
resourceGroupName string: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
skuName string: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
softDeleteEnabled boolean: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
softDeleteRetentionDays number: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
tags {[key: string]: string}: A mapping of tags to assign to the resource.
tenantId string: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
vaultUri string: The URI of the Key Vault, used for performing operations on keys and secrets.

access_policies Sequence[KeyVaultAccessPolicyArgs]: A list of up to 16 objects describing access policies, as described below.
contacts Sequence[KeyVaultContactArgs]: One or more contact block as defined below.
enable_rbac_authorization bool: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
enabled_for_deployment bool: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
enabled_for_disk_encryption bool: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
enabled_for_template_deployment bool: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
location str: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
name str: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
network_acls KeyVaultNetworkAclsArgs: A network_acls block as defined below.
purge_protection_enabled bool: Is Purge Protection enabled for this Key Vault? Defaults to false.
resource_group_name str: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
sku_name str: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
soft_delete_enabled bool: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
soft_delete_retention_days int: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
tags Mapping[str, str]: A mapping of tags to assign to the resource.
tenant_id str: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
vault_uri str: The URI of the Key Vault, used for performing operations on keys and secrets.

accessPolicies List<Property Map>: A list of up to 16 objects describing access policies, as described below.
contacts List<Property Map>: One or more contact block as defined below.
enableRbacAuthorization Boolean: Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false.
enabledForDeployment Boolean: Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.
enabledForDiskEncryption Boolean: Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.
enabledForTemplateDeployment Boolean: Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.
location String: Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
name String: Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unqiue. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.
networkAcls Property Map: A network_acls block as defined below.
purgeProtectionEnabled Boolean: Is Purge Protection enabled for this Key Vault? Defaults to false.
resourceGroupName String: The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
skuName String: The Name of the SKU used for this Key Vault. Possible values are standard and premium.
softDeleteEnabled Boolean: Deprecated: Azure has removed support for disabling Soft Delete as of 2020-12-15, as such this field is no longer configurable and can be safely removed. This field will be removed in version 3.0 of the Azure Provider.
softDeleteRetentionDays Number: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.
tags Map<String>: A mapping of tags to assign to the resource.
tenantId String: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
vaultUri String: The URI of the Key Vault, used for performing operations on keys and secrets.

Supporting Types

KeyVaultAccessPolicy, KeyVaultAccessPolicyArgs

ObjectId string: The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
TenantId string: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
ApplicationId string: The object ID of an Application in Azure Active Directory.
CertificatePermissions List<string>: List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
KeyPermissions List<string>: List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.
SecretPermissions List<string>: List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
StoragePermissions List<string>: List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

ObjectId string: The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
TenantId string: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
ApplicationId string: The object ID of an Application in Azure Active Directory.
CertificatePermissions []string: List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
KeyPermissions []string: List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.
SecretPermissions []string: List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
StoragePermissions []string: List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

objectId String: The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
tenantId String: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
applicationId String: The object ID of an Application in Azure Active Directory.
certificatePermissions List<String>: List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
keyPermissions List<String>: List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.
secretPermissions List<String>: List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
storagePermissions List<String>: List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

objectId string: The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
tenantId string: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
applicationId string: The object ID of an Application in Azure Active Directory.
certificatePermissions string[]: List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
keyPermissions string[]: List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.
secretPermissions string[]: List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
storagePermissions string[]: List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

object_id str: The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
tenant_id str: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
application_id str: The object ID of an Application in Azure Active Directory.
certificate_permissions Sequence[str]: List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
key_permissions Sequence[str]: List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.
secret_permissions Sequence[str]: List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
storage_permissions Sequence[str]: List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

objectId String: The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
tenantId String: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.
applicationId String: The object ID of an Application in Azure Active Directory.
certificatePermissions List<String>: List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
keyPermissions List<String>: List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify and WrapKey.
secretPermissions List<String>: List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
storagePermissions List<String>: List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

KeyVaultContact, KeyVaultContactArgs

Email string: E-mail address of the contact.
Name string: Name of the contact.
Phone string: Phone number of the contact.

Email string: E-mail address of the contact.
Name string: Name of the contact.
Phone string: Phone number of the contact.

email String: E-mail address of the contact.
name String: Name of the contact.
phone String: Phone number of the contact.

email string: E-mail address of the contact.
name string: Name of the contact.
phone string: Phone number of the contact.

email str: E-mail address of the contact.
name str: Name of the contact.
phone str: Phone number of the contact.

email String: E-mail address of the contact.
name String: Name of the contact.
phone String: Phone number of the contact.

KeyVaultNetworkAcls, KeyVaultNetworkAclsArgs

Bypass string: Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
DefaultAction string: The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
IpRules List<string>: One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
VirtualNetworkSubnetIds List<string>: One or more Subnet ID's which should be able to access this Key Vault.

Bypass string: Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
DefaultAction string: The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
IpRules []string: One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
VirtualNetworkSubnetIds []string: One or more Subnet ID's which should be able to access this Key Vault.

bypass String: Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
defaultAction String: The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
ipRules List<String>: One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
virtualNetworkSubnetIds List<String>: One or more Subnet ID's which should be able to access this Key Vault.

bypass string: Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
defaultAction string: The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
ipRules string[]: One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
virtualNetworkSubnetIds string[]: One or more Subnet ID's which should be able to access this Key Vault.

bypass str: Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
default_action str: The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
ip_rules Sequence[str]: One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
virtual_network_subnet_ids Sequence[str]: One or more Subnet ID's which should be able to access this Key Vault.

bypass String: Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
defaultAction String: The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.
ipRules List<String>: One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
virtualNetworkSubnetIds List<String>: One or more Subnet ID's which should be able to access this Key Vault.

Import

Key Vault’s can be imported using the resource id, e.g.

 $ pulumi import azure:keyvault/keyVault:KeyVault example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/vault1

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Azure Classic pulumi/pulumi-azure
License: Apache-2.0
Notes: This Pulumi package is based on the azurerm Terraform Provider.

We recommend using Azure Native.

Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-azure

azure.keyvault.KeyVault

On this page

On this page

Disclaimers

Example Usage

Create KeyVault Resource

Constructor syntax

Parameters

Constructor example

KeyVault Resource Properties

Inputs

Outputs

Look up Existing KeyVault Resource

Supporting Types

KeyVaultAccessPolicy, KeyVaultAccessPolicyArgs

KeyVaultContact, KeyVaultContactArgs

KeyVaultNetworkAcls, KeyVaultNetworkAclsArgs

Import

Package Details

On this page

On this page