We recommend using Azure Native.
Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
We recommend using Azure Native.
Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
Manages a Customer Managed Key for a Storage Account.
NOTE: It’s possible to define a Customer Managed Key both within the
azure.storage.Accountresource via thecustomer_managed_keyblock and by using theazure.storage.CustomerManagedKeyresource. However it’s not possible to use both methods to manage a Customer Managed Key for a Storage Account, since there’ll be conflicts.
Example Usage
using Pulumi;
using Azure = Pulumi.Azure;
class MyStack : Stack
{
public MyStack()
{
var current = Output.Create(Azure.Core.GetClientConfig.InvokeAsync());
var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new Azure.Core.ResourceGroupArgs
{
Location = "West Europe",
});
var exampleKeyVault = new Azure.KeyVault.KeyVault("exampleKeyVault", new Azure.KeyVault.KeyVaultArgs
{
Location = exampleResourceGroup.Location,
ResourceGroupName = exampleResourceGroup.Name,
TenantId = current.Apply(current => current.TenantId),
SkuName = "standard",
PurgeProtectionEnabled = true,
});
var exampleAccount = new Azure.Storage.Account("exampleAccount", new Azure.Storage.AccountArgs
{
ResourceGroupName = exampleResourceGroup.Name,
Location = exampleResourceGroup.Location,
AccountTier = "Standard",
AccountReplicationType = "GRS",
Identity = new Azure.Storage.Inputs.AccountIdentityArgs
{
Type = "SystemAssigned",
},
});
var storage = new Azure.KeyVault.AccessPolicy("storage", new Azure.KeyVault.AccessPolicyArgs
{
KeyVaultId = exampleKeyVault.Id,
TenantId = current.Apply(current => current.TenantId),
ObjectId = exampleAccount.Identity.Apply(identity => identity?.PrincipalId),
KeyPermissions =
{
"get",
"create",
"list",
"restore",
"recover",
"unwrapkey",
"wrapkey",
"purge",
"encrypt",
"decrypt",
"sign",
"verify",
},
SecretPermissions =
{
"get",
},
});
var client = new Azure.KeyVault.AccessPolicy("client", new Azure.KeyVault.AccessPolicyArgs
{
KeyVaultId = exampleKeyVault.Id,
TenantId = current.Apply(current => current.TenantId),
ObjectId = current.Apply(current => current.ObjectId),
KeyPermissions =
{
"get",
"create",
"delete",
"list",
"restore",
"recover",
"unwrapkey",
"wrapkey",
"purge",
"encrypt",
"decrypt",
"sign",
"verify",
},
SecretPermissions =
{
"get",
},
});
var exampleKey = new Azure.KeyVault.Key("exampleKey", new Azure.KeyVault.KeyArgs
{
KeyVaultId = exampleKeyVault.Id,
KeyType = "RSA",
KeySize = 2048,
KeyOpts =
{
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
},
}, new CustomResourceOptions
{
DependsOn =
{
client,
storage,
},
});
var exampleCustomerManagedKey = new Azure.Storage.CustomerManagedKey("exampleCustomerManagedKey", new Azure.Storage.CustomerManagedKeyArgs
{
StorageAccountId = exampleAccount.Id,
KeyVaultId = exampleKeyVault.Id,
KeyName = exampleKey.Name,
});
}
}
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/keyvault"
"github.com/pulumi/pulumi-azure/sdk/v4/go/azure/storage"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := core.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleKeyVault, err := keyvault.NewKeyVault(ctx, "exampleKeyVault", &keyvault.KeyVaultArgs{
Location: exampleResourceGroup.Location,
ResourceGroupName: exampleResourceGroup.Name,
TenantId: pulumi.String(current.TenantId),
SkuName: pulumi.String("standard"),
PurgeProtectionEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
exampleAccount, err := storage.NewAccount(ctx, "exampleAccount", &storage.AccountArgs{
ResourceGroupName: exampleResourceGroup.Name,
Location: exampleResourceGroup.Location,
AccountTier: pulumi.String("Standard"),
AccountReplicationType: pulumi.String("GRS"),
Identity: &storage.AccountIdentityArgs{
Type: pulumi.String("SystemAssigned"),
},
})
if err != nil {
return err
}
storage, err := keyvault.NewAccessPolicy(ctx, "storage", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: pulumi.String(current.TenantId),
ObjectId: exampleAccount.Identity.ApplyT(func(identity storage.AccountIdentity) (string, error) {
return identity.PrincipalId, nil
}).(pulumi.StringOutput),
KeyPermissions: pulumi.StringArray{
pulumi.String("get"),
pulumi.String("create"),
pulumi.String("list"),
pulumi.String("restore"),
pulumi.String("recover"),
pulumi.String("unwrapkey"),
pulumi.String("wrapkey"),
pulumi.String("purge"),
pulumi.String("encrypt"),
pulumi.String("decrypt"),
pulumi.String("sign"),
pulumi.String("verify"),
},
SecretPermissions: pulumi.StringArray{
pulumi.String("get"),
},
})
if err != nil {
return err
}
client, err := keyvault.NewAccessPolicy(ctx, "client", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: pulumi.String(current.TenantId),
ObjectId: pulumi.String(current.ObjectId),
KeyPermissions: pulumi.StringArray{
pulumi.String("get"),
pulumi.String("create"),
pulumi.String("delete"),
pulumi.String("list"),
pulumi.String("restore"),
pulumi.String("recover"),
pulumi.String("unwrapkey"),
pulumi.String("wrapkey"),
pulumi.String("purge"),
pulumi.String("encrypt"),
pulumi.String("decrypt"),
pulumi.String("sign"),
pulumi.String("verify"),
},
SecretPermissions: pulumi.StringArray{
pulumi.String("get"),
},
})
if err != nil {
return err
}
exampleKey, err := keyvault.NewKey(ctx, "exampleKey", &keyvault.KeyArgs{
KeyVaultId: exampleKeyVault.ID(),
KeyType: pulumi.String("RSA"),
KeySize: pulumi.Int(2048),
KeyOpts: pulumi.StringArray{
pulumi.String("decrypt"),
pulumi.String("encrypt"),
pulumi.String("sign"),
pulumi.String("unwrapKey"),
pulumi.String("verify"),
pulumi.String("wrapKey"),
},
}, pulumi.DependsOn([]pulumi.Resource{
client,
storage,
}))
if err != nil {
return err
}
_, err = storage.NewCustomerManagedKey(ctx, "exampleCustomerManagedKey", &storage.CustomerManagedKeyArgs{
StorageAccountId: exampleAccount.ID(),
KeyVaultId: exampleKeyVault.ID(),
KeyName: exampleKey.Name,
})
if err != nil {
return err
}
return nil
})
}
Example coming soon!
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const current = azure.core.getClientConfig({});
const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleKeyVault = new azure.keyvault.KeyVault("exampleKeyVault", {
location: exampleResourceGroup.location,
resourceGroupName: exampleResourceGroup.name,
tenantId: current.then(current => current.tenantId),
skuName: "standard",
purgeProtectionEnabled: true,
});
const exampleAccount = new azure.storage.Account("exampleAccount", {
resourceGroupName: exampleResourceGroup.name,
location: exampleResourceGroup.location,
accountTier: "Standard",
accountReplicationType: "GRS",
identity: {
type: "SystemAssigned",
},
});
const storage = new azure.keyvault.AccessPolicy("storage", {
keyVaultId: exampleKeyVault.id,
tenantId: current.then(current => current.tenantId),
objectId: exampleAccount.identity.apply(identity => identity?.principalId),
keyPermissions: [
"get",
"create",
"list",
"restore",
"recover",
"unwrapkey",
"wrapkey",
"purge",
"encrypt",
"decrypt",
"sign",
"verify",
],
secretPermissions: ["get"],
});
const client = new azure.keyvault.AccessPolicy("client", {
keyVaultId: exampleKeyVault.id,
tenantId: current.then(current => current.tenantId),
objectId: current.then(current => current.objectId),
keyPermissions: [
"get",
"create",
"delete",
"list",
"restore",
"recover",
"unwrapkey",
"wrapkey",
"purge",
"encrypt",
"decrypt",
"sign",
"verify",
],
secretPermissions: ["get"],
});
const exampleKey = new azure.keyvault.Key("exampleKey", {
keyVaultId: exampleKeyVault.id,
keyType: "RSA",
keySize: 2048,
keyOpts: [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
}, {
dependsOn: [
client,
storage,
],
});
const exampleCustomerManagedKey = new azure.storage.CustomerManagedKey("exampleCustomerManagedKey", {
storageAccountId: exampleAccount.id,
keyVaultId: exampleKeyVault.id,
keyName: exampleKey.name,
});
import pulumi
import pulumi_azure as azure
current = azure.core.get_client_config()
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
location=example_resource_group.location,
resource_group_name=example_resource_group.name,
tenant_id=current.tenant_id,
sku_name="standard",
purge_protection_enabled=True)
example_account = azure.storage.Account("exampleAccount",
resource_group_name=example_resource_group.name,
location=example_resource_group.location,
account_tier="Standard",
account_replication_type="GRS",
identity=azure.storage.AccountIdentityArgs(
type="SystemAssigned",
))
storage = azure.keyvault.AccessPolicy("storage",
key_vault_id=example_key_vault.id,
tenant_id=current.tenant_id,
object_id=example_account.identity.principal_id,
key_permissions=[
"get",
"create",
"list",
"restore",
"recover",
"unwrapkey",
"wrapkey",
"purge",
"encrypt",
"decrypt",
"sign",
"verify",
],
secret_permissions=["get"])
client = azure.keyvault.AccessPolicy("client",
key_vault_id=example_key_vault.id,
tenant_id=current.tenant_id,
object_id=current.object_id,
key_permissions=[
"get",
"create",
"delete",
"list",
"restore",
"recover",
"unwrapkey",
"wrapkey",
"purge",
"encrypt",
"decrypt",
"sign",
"verify",
],
secret_permissions=["get"])
example_key = azure.keyvault.Key("exampleKey",
key_vault_id=example_key_vault.id,
key_type="RSA",
key_size=2048,
key_opts=[
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
opts=pulumi.ResourceOptions(depends_on=[
client,
storage,
]))
example_customer_managed_key = azure.storage.CustomerManagedKey("exampleCustomerManagedKey",
storage_account_id=example_account.id,
key_vault_id=example_key_vault.id,
key_name=example_key.name)
Example coming soon!
Create CustomerManagedKey Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new CustomerManagedKey(name: string, args: CustomerManagedKeyArgs, opts?: CustomResourceOptions);@overload
def CustomerManagedKey(resource_name: str,
args: CustomerManagedKeyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def CustomerManagedKey(resource_name: str,
opts: Optional[ResourceOptions] = None,
key_name: Optional[str] = None,
key_vault_id: Optional[str] = None,
storage_account_id: Optional[str] = None,
key_version: Optional[str] = None,
user_assigned_identity_id: Optional[str] = None)func NewCustomerManagedKey(ctx *Context, name string, args CustomerManagedKeyArgs, opts ...ResourceOption) (*CustomerManagedKey, error)public CustomerManagedKey(string name, CustomerManagedKeyArgs args, CustomResourceOptions? opts = null)
public CustomerManagedKey(String name, CustomerManagedKeyArgs args)
public CustomerManagedKey(String name, CustomerManagedKeyArgs args, CustomResourceOptions options)
type: azure:storage:CustomerManagedKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args CustomerManagedKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CustomerManagedKeyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CustomerManagedKeyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CustomerManagedKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CustomerManagedKeyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var customerManagedKeyResource = new Azure.Storage.CustomerManagedKey("customerManagedKeyResource", new()
{
KeyName = "string",
KeyVaultId = "string",
StorageAccountId = "string",
KeyVersion = "string",
UserAssignedIdentityId = "string",
});
example, err := storage.NewCustomerManagedKey(ctx, "customerManagedKeyResource", &storage.CustomerManagedKeyArgs{
KeyName: pulumi.String("string"),
KeyVaultId: pulumi.String("string"),
StorageAccountId: pulumi.String("string"),
KeyVersion: pulumi.String("string"),
UserAssignedIdentityId: pulumi.String("string"),
})
var customerManagedKeyResource = new CustomerManagedKey("customerManagedKeyResource", CustomerManagedKeyArgs.builder()
.keyName("string")
.keyVaultId("string")
.storageAccountId("string")
.keyVersion("string")
.userAssignedIdentityId("string")
.build());
customer_managed_key_resource = azure.storage.CustomerManagedKey("customerManagedKeyResource",
key_name="string",
key_vault_id="string",
storage_account_id="string",
key_version="string",
user_assigned_identity_id="string")
const customerManagedKeyResource = new azure.storage.CustomerManagedKey("customerManagedKeyResource", {
keyName: "string",
keyVaultId: "string",
storageAccountId: "string",
keyVersion: "string",
userAssignedIdentityId: "string",
});
type: azure:storage:CustomerManagedKey
properties:
keyName: string
keyVaultId: string
keyVersion: string
storageAccountId: string
userAssignedIdentityId: string
CustomerManagedKey Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The CustomerManagedKey resource accepts the following input properties:
- Key
Name string - The name of Key Vault Key.
- Key
Vault stringId - The ID of the Key Vault. Changing this forces a new resource to be created.
- Storage
Account stringId - The ID of the Storage Account. Changing this forces a new resource to be created.
- Key
Version string - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- User
Assigned stringIdentity Id - The ID of a user assigned identity.
- Key
Name string - The name of Key Vault Key.
- Key
Vault stringId - The ID of the Key Vault. Changing this forces a new resource to be created.
- Storage
Account stringId - The ID of the Storage Account. Changing this forces a new resource to be created.
- Key
Version string - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- User
Assigned stringIdentity Id - The ID of a user assigned identity.
- key
Name String - The name of Key Vault Key.
- key
Vault StringId - The ID of the Key Vault. Changing this forces a new resource to be created.
- storage
Account StringId - The ID of the Storage Account. Changing this forces a new resource to be created.
- key
Version String - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- user
Assigned StringIdentity Id - The ID of a user assigned identity.
- key
Name string - The name of Key Vault Key.
- key
Vault stringId - The ID of the Key Vault. Changing this forces a new resource to be created.
- storage
Account stringId - The ID of the Storage Account. Changing this forces a new resource to be created.
- key
Version string - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- user
Assigned stringIdentity Id - The ID of a user assigned identity.
- key_
name str - The name of Key Vault Key.
- key_
vault_ strid - The ID of the Key Vault. Changing this forces a new resource to be created.
- storage_
account_ strid - The ID of the Storage Account. Changing this forces a new resource to be created.
- key_
version str - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- user_
assigned_ stridentity_ id - The ID of a user assigned identity.
- key
Name String - The name of Key Vault Key.
- key
Vault StringId - The ID of the Key Vault. Changing this forces a new resource to be created.
- storage
Account StringId - The ID of the Storage Account. Changing this forces a new resource to be created.
- key
Version String - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- user
Assigned StringIdentity Id - The ID of a user assigned identity.
Outputs
All input properties are implicitly available as output properties. Additionally, the CustomerManagedKey resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing CustomerManagedKey Resource
Get an existing CustomerManagedKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CustomerManagedKeyState, opts?: CustomResourceOptions): CustomerManagedKey@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
key_name: Optional[str] = None,
key_vault_id: Optional[str] = None,
key_version: Optional[str] = None,
storage_account_id: Optional[str] = None,
user_assigned_identity_id: Optional[str] = None) -> CustomerManagedKeyfunc GetCustomerManagedKey(ctx *Context, name string, id IDInput, state *CustomerManagedKeyState, opts ...ResourceOption) (*CustomerManagedKey, error)public static CustomerManagedKey Get(string name, Input<string> id, CustomerManagedKeyState? state, CustomResourceOptions? opts = null)public static CustomerManagedKey get(String name, Output<String> id, CustomerManagedKeyState state, CustomResourceOptions options)resources: _: type: azure:storage:CustomerManagedKey get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Key
Name string - The name of Key Vault Key.
- Key
Vault stringId - The ID of the Key Vault. Changing this forces a new resource to be created.
- Key
Version string - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- Storage
Account stringId - The ID of the Storage Account. Changing this forces a new resource to be created.
- User
Assigned stringIdentity Id - The ID of a user assigned identity.
- Key
Name string - The name of Key Vault Key.
- Key
Vault stringId - The ID of the Key Vault. Changing this forces a new resource to be created.
- Key
Version string - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- Storage
Account stringId - The ID of the Storage Account. Changing this forces a new resource to be created.
- User
Assigned stringIdentity Id - The ID of a user assigned identity.
- key
Name String - The name of Key Vault Key.
- key
Vault StringId - The ID of the Key Vault. Changing this forces a new resource to be created.
- key
Version String - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- storage
Account StringId - The ID of the Storage Account. Changing this forces a new resource to be created.
- user
Assigned StringIdentity Id - The ID of a user assigned identity.
- key
Name string - The name of Key Vault Key.
- key
Vault stringId - The ID of the Key Vault. Changing this forces a new resource to be created.
- key
Version string - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- storage
Account stringId - The ID of the Storage Account. Changing this forces a new resource to be created.
- user
Assigned stringIdentity Id - The ID of a user assigned identity.
- key_
name str - The name of Key Vault Key.
- key_
vault_ strid - The ID of the Key Vault. Changing this forces a new resource to be created.
- key_
version str - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- storage_
account_ strid - The ID of the Storage Account. Changing this forces a new resource to be created.
- user_
assigned_ stridentity_ id - The ID of a user assigned identity.
- key
Name String - The name of Key Vault Key.
- key
Vault StringId - The ID of the Key Vault. Changing this forces a new resource to be created.
- key
Version String - The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.
- storage
Account StringId - The ID of the Storage Account. Changing this forces a new resource to be created.
- user
Assigned StringIdentity Id - The ID of a user assigned identity.
Import
Customer Managed Keys for a Storage Account can be imported using the resource id of the Storage Account, e.g.
$ pulumi import azure:storage/customerManagedKey:CustomerManagedKey example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/myaccount
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurermTerraform Provider.
We recommend using Azure Native.
Viewing docs for Azure v4.42.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
