Azure Active Directory (Azure AD) v6.4.0, Apr 7 25

Azure Active Directory (Azure AD) v6.4.0 published on Monday, Apr 7, 2025 by Pulumi

azuread.ServicePrincipalCertificate

Explore with Pulumi AI

Azure Active Directory (Azure AD) v6.4.0 published on Monday, Apr 7, 2025 by Pulumi

pulumi/pulumi-azuread

Example Usage

Using a PEM certificate

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
import * as std from "@pulumi/std";

const example = new azuread.Application("example", {displayName: "example"});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {clientId: example.clientId});
const exampleServicePrincipalCertificate = new azuread.ServicePrincipalCertificate("example", {
    servicePrincipalId: exampleServicePrincipal.id,
    type: "AsymmetricX509Cert",
    value: std.file({
        input: "cert.pem",
    }).then(invoke => invoke.result),
    endDate: "2021-05-01T01:02:03Z",
});

import pulumi
import pulumi_azuread as azuread
import pulumi_std as std

example = azuread.Application("example", display_name="example")
example_service_principal = azuread.ServicePrincipal("example", client_id=example.client_id)
example_service_principal_certificate = azuread.ServicePrincipalCertificate("example",
    service_principal_id=example_service_principal.id,
    type="AsymmetricX509Cert",
    value=std.file(input="cert.pem").result,
    end_date="2021-05-01T01:02:03Z")

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
			ClientId: example.ClientId,
		})
		if err != nil {
			return err
		}
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "cert.pem",
		}, nil)
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipalCertificate(ctx, "example", &azuread.ServicePrincipalCertificateArgs{
			ServicePrincipalId: exampleServicePrincipal.ID(),
			Type:               pulumi.String("AsymmetricX509Cert"),
			Value:              pulumi.String(invokeFile.Result),
			EndDate:            pulumi.String("2021-05-01T01:02:03Z"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
using Std = Pulumi.Std;

return await Deployment.RunAsync(() => 
{
    var example = new AzureAD.Application("example", new()
    {
        DisplayName = "example",
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
    {
        ClientId = example.ClientId,
    });

    var exampleServicePrincipalCertificate = new AzureAD.ServicePrincipalCertificate("example", new()
    {
        ServicePrincipalId = exampleServicePrincipal.Id,
        Type = "AsymmetricX509Cert",
        Value = Std.File.Invoke(new()
        {
            Input = "cert.pem",
        }).Apply(invoke => invoke.Result),
        EndDate = "2021-05-01T01:02:03Z",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.ServicePrincipalCertificate;
import com.pulumi.azuread.ServicePrincipalCertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Application("example", ApplicationArgs.builder()
            .displayName("example")
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
            .clientId(example.clientId())
            .build());

        var exampleServicePrincipalCertificate = new ServicePrincipalCertificate("exampleServicePrincipalCertificate", ServicePrincipalCertificateArgs.builder()
            .servicePrincipalId(exampleServicePrincipal.id())
            .type("AsymmetricX509Cert")
            .value(StdFunctions.file(FileArgs.builder()
                .input("cert.pem")
                .build()).result())
            .endDate("2021-05-01T01:02:03Z")
            .build());

    }
}

resources:
  example:
    type: azuread:Application
    properties:
      displayName: example
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    name: example
    properties:
      clientId: ${example.clientId}
  exampleServicePrincipalCertificate:
    type: azuread:ServicePrincipalCertificate
    name: example
    properties:
      servicePrincipalId: ${exampleServicePrincipal.id}
      type: AsymmetricX509Cert
      value:
        fn::invoke:
          function: std:file
          arguments:
            input: cert.pem
          return: result
      endDate: 2021-05-01T01:02:03Z

Using a DER certificate

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
import * as std from "@pulumi/std";

const example = new azuread.Application("example", {displayName: "example"});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {clientId: example.clientId});
const exampleServicePrincipalCertificate = new azuread.ServicePrincipalCertificate("example", {
    servicePrincipalId: exampleServicePrincipal.id,
    type: "AsymmetricX509Cert",
    encoding: "base64",
    value: std.file({
        input: "cert.der",
    }).then(invoke => std.base64encode({
        input: invoke.result,
    })).then(invoke => invoke.result),
    endDate: "2021-05-01T01:02:03Z",
});

import pulumi
import pulumi_azuread as azuread
import pulumi_std as std

example = azuread.Application("example", display_name="example")
example_service_principal = azuread.ServicePrincipal("example", client_id=example.client_id)
example_service_principal_certificate = azuread.ServicePrincipalCertificate("example",
    service_principal_id=example_service_principal.id,
    type="AsymmetricX509Cert",
    encoding="base64",
    value=std.base64encode(input=std.file(input="cert.der").result).result,
    end_date="2021-05-01T01:02:03Z")

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
			ClientId: example.ClientId,
		})
		if err != nil {
			return err
		}
		invokeBase64encode, err := std.Base64encode(ctx, &std.Base64encodeArgs{
			Input: std.File(ctx, &std.FileArgs{
				Input: "cert.der",
			}, nil).Result,
		}, nil)
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipalCertificate(ctx, "example", &azuread.ServicePrincipalCertificateArgs{
			ServicePrincipalId: exampleServicePrincipal.ID(),
			Type:               pulumi.String("AsymmetricX509Cert"),
			Encoding:           pulumi.String("base64"),
			Value:              pulumi.String(invokeBase64encode.Result),
			EndDate:            pulumi.String("2021-05-01T01:02:03Z"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
using Std = Pulumi.Std;

return await Deployment.RunAsync(() => 
{
    var example = new AzureAD.Application("example", new()
    {
        DisplayName = "example",
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
    {
        ClientId = example.ClientId,
    });

    var exampleServicePrincipalCertificate = new AzureAD.ServicePrincipalCertificate("example", new()
    {
        ServicePrincipalId = exampleServicePrincipal.Id,
        Type = "AsymmetricX509Cert",
        Encoding = "base64",
        Value = Std.File.Invoke(new()
        {
            Input = "cert.der",
        }).Apply(invoke => Std.Base64encode.Invoke(new()
        {
            Input = invoke.Result,
        })).Apply(invoke => invoke.Result),
        EndDate = "2021-05-01T01:02:03Z",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.ServicePrincipalCertificate;
import com.pulumi.azuread.ServicePrincipalCertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Application("example", ApplicationArgs.builder()
            .displayName("example")
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
            .clientId(example.clientId())
            .build());

        var exampleServicePrincipalCertificate = new ServicePrincipalCertificate("exampleServicePrincipalCertificate", ServicePrincipalCertificateArgs.builder()
            .servicePrincipalId(exampleServicePrincipal.id())
            .type("AsymmetricX509Cert")
            .encoding("base64")
            .value(StdFunctions.base64encode(Base64encodeArgs.builder()
                .input(StdFunctions.file(FileArgs.builder()
                    .input("cert.der")
                    .build()).result())
                .build()).result())
            .endDate("2021-05-01T01:02:03Z")
            .build());

    }
}

resources:
  example:
    type: azuread:Application
    properties:
      displayName: example
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    name: example
    properties:
      clientId: ${example.clientId}
  exampleServicePrincipalCertificate:
    type: azuread:ServicePrincipalCertificate
    name: example
    properties:
      servicePrincipalId: ${exampleServicePrincipal.id}
      type: AsymmetricX509Cert
      encoding: base64
      value:
        fn::invoke:
          function: std:base64encode
          arguments:
            input:
              fn::invoke:
                function: std:file
                arguments:
                  input: cert.der
                return: result
          return: result
      endDate: 2021-05-01T01:02:03Z

Create ServicePrincipalCertificate Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ServicePrincipalCertificate(name: string, args: ServicePrincipalCertificateArgs, opts?: CustomResourceOptions);

@overload
def ServicePrincipalCertificate(resource_name: str,
                                args: ServicePrincipalCertificateArgs,
                                opts: Optional[ResourceOptions] = None)

@overload
def ServicePrincipalCertificate(resource_name: str,
                                opts: Optional[ResourceOptions] = None,
                                service_principal_id: Optional[str] = None,
                                value: Optional[str] = None,
                                encoding: Optional[str] = None,
                                end_date: Optional[str] = None,
                                end_date_relative: Optional[str] = None,
                                key_id: Optional[str] = None,
                                start_date: Optional[str] = None,
                                type: Optional[str] = None)

func NewServicePrincipalCertificate(ctx *Context, name string, args ServicePrincipalCertificateArgs, opts ...ResourceOption) (*ServicePrincipalCertificate, error)

public ServicePrincipalCertificate(string name, ServicePrincipalCertificateArgs args, CustomResourceOptions? opts = null)

public ServicePrincipalCertificate(String name, ServicePrincipalCertificateArgs args)
public ServicePrincipalCertificate(String name, ServicePrincipalCertificateArgs args, CustomResourceOptions options)

type: azuread:ServicePrincipalCertificate
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ServicePrincipalCertificateArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ServicePrincipalCertificateArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ServicePrincipalCertificateArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ServicePrincipalCertificateArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ServicePrincipalCertificateArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var servicePrincipalCertificateResource = new AzureAD.ServicePrincipalCertificate("servicePrincipalCertificateResource", new()
{
    ServicePrincipalId = "string",
    Value = "string",
    Encoding = "string",
    EndDate = "string",
    KeyId = "string",
    StartDate = "string",
    Type = "string",
});

example, err := azuread.NewServicePrincipalCertificate(ctx, "servicePrincipalCertificateResource", &azuread.ServicePrincipalCertificateArgs{
	ServicePrincipalId: pulumi.String("string"),
	Value:              pulumi.String("string"),
	Encoding:           pulumi.String("string"),
	EndDate:            pulumi.String("string"),
	KeyId:              pulumi.String("string"),
	StartDate:          pulumi.String("string"),
	Type:               pulumi.String("string"),
})

var servicePrincipalCertificateResource = new ServicePrincipalCertificate("servicePrincipalCertificateResource", ServicePrincipalCertificateArgs.builder()
    .servicePrincipalId("string")
    .value("string")
    .encoding("string")
    .endDate("string")
    .keyId("string")
    .startDate("string")
    .type("string")
    .build());

service_principal_certificate_resource = azuread.ServicePrincipalCertificate("servicePrincipalCertificateResource",
    service_principal_id="string",
    value="string",
    encoding="string",
    end_date="string",
    key_id="string",
    start_date="string",
    type="string")

const servicePrincipalCertificateResource = new azuread.ServicePrincipalCertificate("servicePrincipalCertificateResource", {
    servicePrincipalId: "string",
    value: "string",
    encoding: "string",
    endDate: "string",
    keyId: "string",
    startDate: "string",
    type: "string",
});

type: azuread:ServicePrincipalCertificate
properties:
    encoding: string
    endDate: string
    keyId: string
    servicePrincipalId: string
    startDate: string
    type: string
    value: string

ServicePrincipalCertificate Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ServicePrincipalCertificate resource accepts the following input properties:

ServicePrincipalId string

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

Value string

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

Encoding string

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

EndDate string

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

EndDateRelative string

A relative duration for which the certificate is valid until, for example 240h (10 days) or 2400h30m. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Changing this field forces a new resource to be created.

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

Deprecated: The end_date_relative property is deprecated and will be removed in a future version of the AzureAD provider. Please instead use the Terraform timeadd() function to calculate a value for the end_date property.

KeyId string

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

StartDate string

The start date from which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn't specified, the value is determined by Azure Active Directory and is usually the start date of the certificate for asymmetric keys, or the current timestamp for symmetric keys. Changing this field forces a new resource to be created.

Type string

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

ServicePrincipalId string

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

Value string

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

Encoding string

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

EndDate string

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

EndDateRelative string

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

KeyId string

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

StartDate string

Type string

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

servicePrincipalId String

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

value String

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

encoding String

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

endDate String

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

endDateRelative String

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

keyId String

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

startDate String

type String

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

servicePrincipalId string

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

value string

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

encoding string

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

endDate string

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

endDateRelative string

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

keyId string

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

startDate string

type string

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

service_principal_id str

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

value str

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

encoding str

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

end_date str

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

end_date_relative str

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

key_id str

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

start_date str

type str

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

servicePrincipalId String

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

value String

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

encoding String

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

endDate String

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

endDateRelative String

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

keyId String

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

startDate String

type String

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

Outputs

All input properties are implicitly available as output properties. Additionally, the ServicePrincipalCertificate resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing ServicePrincipalCertificate Resource

Get an existing ServicePrincipalCertificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ServicePrincipalCertificateState, opts?: CustomResourceOptions): ServicePrincipalCertificate

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        encoding: Optional[str] = None,
        end_date: Optional[str] = None,
        end_date_relative: Optional[str] = None,
        key_id: Optional[str] = None,
        service_principal_id: Optional[str] = None,
        start_date: Optional[str] = None,
        type: Optional[str] = None,
        value: Optional[str] = None) -> ServicePrincipalCertificate

func GetServicePrincipalCertificate(ctx *Context, name string, id IDInput, state *ServicePrincipalCertificateState, opts ...ResourceOption) (*ServicePrincipalCertificate, error)

public static ServicePrincipalCertificate Get(string name, Input<string> id, ServicePrincipalCertificateState? state, CustomResourceOptions? opts = null)

public static ServicePrincipalCertificate get(String name, Output<String> id, ServicePrincipalCertificateState state, CustomResourceOptions options)

resources:  _:    type: azuread:ServicePrincipalCertificate    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Encoding string

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

EndDate string

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

EndDateRelative string

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

KeyId string

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

ServicePrincipalId string

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

StartDate string

Type string

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

Value string

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

Encoding string

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

EndDate string

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

EndDateRelative string

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

KeyId string

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

ServicePrincipalId string

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

StartDate string

Type string

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

Value string

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

encoding String

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

endDate String

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

endDateRelative String

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

keyId String

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

servicePrincipalId String

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

startDate String

type String

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

value String

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

encoding string

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

endDate string

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

endDateRelative string

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

keyId string

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

servicePrincipalId string

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

startDate string

type string

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

value string

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

encoding str

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

end_date str

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

end_date_relative str

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

key_id str

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

service_principal_id str

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

start_date str

type str

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

value str

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

encoding String

Specifies the encoding used for the supplied certificate data. Must be one of pem, base64 or hex. Defaults to pem.

Tip for Azure Key Vault The hex encoding option is useful for consuming certificate data from the azurerm_key_vault_certificate resource.

endDate String

The end date until which the certificate is valid, formatted as an RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

endDateRelative String

One of end_date or end_date_relative must be set. The maximum duration is determined by Azure AD.

keyId String

A UUID used to uniquely identify this certificate. If not specified a UUID will be automatically generated. Changing this field forces a new resource to be created.

servicePrincipalId String

The ID of the service principal for which this certificate should be created. Changing this field forces a new resource to be created.

startDate String

type String

The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

value String

The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.

Import

Certificates can be imported using the object ID of the associated service principal and the key ID of the certificate credential, e.g.

$ pulumi import azuread:index/servicePrincipalCertificate:ServicePrincipalCertificate example 00000000-0000-0000-0000-000000000000/certificate/11111111-1111-1111-1111-111111111111

-> This ID format is unique to Terraform and is composed of the service principal’s object ID, the string “certificate” and the certificate’s key ID in the format {ServicePrincipalObjectId}/certificate/{CertificateKeyId}.

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Azure Active Directory (Azure AD) pulumi/pulumi-azuread
License: Apache-2.0
Notes: This Pulumi package is based on the azuread Terraform Provider.

Azure Active Directory (Azure AD) v6.4.0 published on Monday, Apr 7, 2025 by Pulumi

pulumi/pulumi-azuread

azuread.ServicePrincipalCertificate

On this page

On this page

Example Usage

Create ServicePrincipalCertificate Resource

Constructor syntax

Parameters

Constructor example

ServicePrincipalCertificate Resource Properties

Inputs

Outputs

Look up Existing ServicePrincipalCertificate Resource

Import

Package Details

On this page

On this page