Microsoft.KeyVault vaults 2021-10-01
Remarks
For guidance on using key vaults for secure values, see Manage secrets by using Bicep.
For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.
For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.
Bicep resource definition
The vaults resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KeyVault/vaults@2021-10-01' = {
location: 'string'
name: 'string'
properties: {
accessPolicies: [
{
applicationId: 'string'
objectId: 'string'
permissions: {
certificates: [
'string'
]
keys: [
'string'
]
secrets: [
'string'
]
storage: [
'string'
]
}
tenantId: 'string'
}
]
createMode: 'string'
enabledForDeployment: bool
enabledForDiskEncryption: bool
enabledForTemplateDeployment: bool
enablePurgeProtection: bool
enableRbacAuthorization: bool
enableSoftDelete: bool
networkAcls: {
bypass: 'string'
defaultAction: 'string'
ipRules: [
{
value: 'string'
}
]
virtualNetworkRules: [
{
id: 'string'
ignoreMissingVnetServiceEndpoint: bool
}
]
}
provisioningState: 'string'
publicNetworkAccess: 'string'
sku: {
family: 'string'
name: 'string'
}
softDeleteRetentionInDays: int
tenantId: 'string'
vaultUri: 'string'
}
tags: {
{customized property}: 'string'
}
}
Property values
AccessPolicyEntry
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
IPRule
Name | Description | Value |
---|---|---|
value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). | string (required) |
Microsoft.KeyVault/vaults
Name | Description | Value |
---|---|---|
location | The supported Azure location where the key vault should be created. | string (required) |
name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{3,24}$ (required) |
properties | Properties of the vault | VaultProperties (required) |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
NetworkRuleSet
Name | Description | Value |
---|---|---|
bypass | Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. | 'AzureServices' 'None' |
defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | 'Allow' 'Deny' |
ipRules | The list of IP address rules. | IPRule[] |
virtualNetworkRules | The list of virtual network rules. | VirtualNetworkRule[] |
Permissions
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: 'all' 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
keys | Permissions to keys | String array containing any of: 'all' 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'import' 'list' 'purge' 'recover' 'restore' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
secrets | Permissions to secrets | String array containing any of: 'all' 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
storage | Permissions to storage accounts | String array containing any of: 'all' 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
Sku
Name | Description | Value |
---|---|---|
family | SKU family name | 'A' (required) |
name | SKU name to specify whether the key vault is a standard vault or a premium vault. | 'premium' 'standard' (required) |
VaultCreateOrUpdateParametersTags
Name | Description | Value |
---|
VaultProperties
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover , access policies are not required. Otherwise, access policies are required. |
AccessPolicyEntry[] |
createMode | The vault's create mode to indicate whether the vault need to be recovered or not. | 'default' 'recover' |
enabledForDeployment | Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool |
enabledForDiskEncryption | Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
enabledForTemplateDeployment | Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool |
enablePurgeProtection | Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. | bool |
enableRbacAuthorization | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | bool |
enableSoftDelete | Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. | bool |
networkAcls | Rules governing the accessibility of the key vault from specific network locations. | NetworkRuleSet |
provisioningState | Provisioning state of the vault. | 'RegisteringDns' 'Succeeded' |
publicNetworkAccess | Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. | string |
sku | SKU details | Sku (required) |
softDeleteRetentionInDays | softDelete data retention days. It accepts >=7 and <=90. | int |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
vaultUri | The URI of the vault for performing operations on keys and secrets. | string |
VirtualNetworkRule
Name | Description | Value |
---|---|---|
id | Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. | string (required) |
ignoreMissingVnetServiceEndpoint | Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. | bool |
Quickstart samples
The following quickstart samples deploy this resource type.
Bicep File | Description |
---|---|
AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Application Gateway with internal API Management and Web App | Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App. |
Azure AI Studio basic setup | This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio basic setup | This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio basic setup | This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio Network Restricted | This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio Network Restricted | This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio with Microsoft Entra ID Authentication | This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage. |
Azure Function app and an HTTP-triggered function | This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key. |
Azure Machine Learning end-to-end secure setup | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning end-to-end secure setup (legacy) | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Storage Account Encryption with customer-managed key | This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault. |
Create a Key Vault and a list of secrets | This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters |
Create an AKS compute target with a Private IP address | This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address. |
Create an API Management service with SSL from KeyVault | This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours. |
Create an Azure Key Vault and a secret | This template creates an Azure Key Vault and a secret. |
Create an Azure Key Vault with RBAC and a secret | This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets |
Create an Azure Machine Learning service workspace | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. |
Create an Azure Machine Learning service workspace (CMK) | This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys. |
Create an Azure Machine Learning service workspace (CMK) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key. |
Create an Azure Machine Learning service workspace (legacy) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
Create an Azure Machine Learning service workspace (vnet) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
Create Application Gateway with Certificates | This template shows how to generate Key Vault self-signed certificates, then reference from Application Gateway. |
Create Key Vault with logging enabled | This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources. |
Create key vault, managed identity, and role assignment | This template creates a key vault, managed identity, and role assignment. |
Creates a Cross-tenant Private Endpoint resource | This template allows you to create Priavate Endpoint resource within the same or cross-tenant environment and add dns zone configuration. |
Creates a Dapr pub-sub servicebus app using Container Apps | Create a Dapr pub-sub servicebus app using Container Apps. |
Deploy Secure Azure AI Studio with a managed virtual network | This template creates a secure Azure AI Studio environment with robust network and identity security restrictions. |
Deploy the Sports Analytics on Azure Architecture | Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. |
FinOps hub | This template creates a new FinOps hub instance, including Data Lake storage and a Data Factory. |
Testing environment for Azure Firewall Premium | This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
ARM template resource definition
The vaults resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults resource, add the following JSON to your template.
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-10-01",
"name": "string",
"location": "string",
"properties": {
"accessPolicies": [
{
"applicationId": "string",
"objectId": "string",
"permissions": {
"certificates": [ "string" ],
"keys": [ "string" ],
"secrets": [ "string" ],
"storage": [ "string" ]
},
"tenantId": "string"
}
],
"createMode": "string",
"enabledForDeployment": "bool",
"enabledForDiskEncryption": "bool",
"enabledForTemplateDeployment": "bool",
"enablePurgeProtection": "bool",
"enableRbacAuthorization": "bool",
"enableSoftDelete": "bool",
"networkAcls": {
"bypass": "string",
"defaultAction": "string",
"ipRules": [
{
"value": "string"
}
],
"virtualNetworkRules": [
{
"id": "string",
"ignoreMissingVnetServiceEndpoint": "bool"
}
]
},
"provisioningState": "string",
"publicNetworkAccess": "string",
"sku": {
"family": "string",
"name": "string"
},
"softDeleteRetentionInDays": "int",
"tenantId": "string",
"vaultUri": "string"
},
"tags": {
"{customized property}": "string"
}
}
Property values
AccessPolicyEntry
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
IPRule
Name | Description | Value |
---|---|---|
value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). | string (required) |
Microsoft.KeyVault/vaults
Name | Description | Value |
---|---|---|
apiVersion | The api version | '2021-10-01' |
location | The supported Azure location where the key vault should be created. | string (required) |
name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{3,24}$ (required) |
properties | Properties of the vault | VaultProperties (required) |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
type | The resource type | 'Microsoft.KeyVault/vaults' |
NetworkRuleSet
Name | Description | Value |
---|---|---|
bypass | Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. | 'AzureServices' 'None' |
defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | 'Allow' 'Deny' |
ipRules | The list of IP address rules. | IPRule[] |
virtualNetworkRules | The list of virtual network rules. | VirtualNetworkRule[] |
Permissions
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: 'all' 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
keys | Permissions to keys | String array containing any of: 'all' 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'import' 'list' 'purge' 'recover' 'restore' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
secrets | Permissions to secrets | String array containing any of: 'all' 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
storage | Permissions to storage accounts | String array containing any of: 'all' 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
Sku
Name | Description | Value |
---|---|---|
family | SKU family name | 'A' (required) |
name | SKU name to specify whether the key vault is a standard vault or a premium vault. | 'premium' 'standard' (required) |
VaultCreateOrUpdateParametersTags
Name | Description | Value |
---|
VaultProperties
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover , access policies are not required. Otherwise, access policies are required. |
AccessPolicyEntry[] |
createMode | The vault's create mode to indicate whether the vault need to be recovered or not. | 'default' 'recover' |
enabledForDeployment | Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool |
enabledForDiskEncryption | Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
enabledForTemplateDeployment | Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool |
enablePurgeProtection | Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. | bool |
enableRbacAuthorization | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | bool |
enableSoftDelete | Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. | bool |
networkAcls | Rules governing the accessibility of the key vault from specific network locations. | NetworkRuleSet |
provisioningState | Provisioning state of the vault. | 'RegisteringDns' 'Succeeded' |
publicNetworkAccess | Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. | string |
sku | SKU details | Sku (required) |
softDeleteRetentionInDays | softDelete data retention days. It accepts >=7 and <=90. | int |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
vaultUri | The URI of the vault for performing operations on keys and secrets. | string |
VirtualNetworkRule
Name | Description | Value |
---|---|---|
id | Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. | string (required) |
ignoreMissingVnetServiceEndpoint | Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. | bool |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
App Service Environment with Azure SQL backend |
This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment. |
Application Gateway with internal API Management and Web App |
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App. |
Azure AI Studio basic setup |
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio basic setup |
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio basic setup |
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio Network Restricted |
This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio Network Restricted |
This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
Azure AI Studio with Microsoft Entra ID Authentication |
This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage. |
Azure Function app and an HTTP-triggered function |
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key. |
Azure Machine Learning end-to-end secure setup |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning end-to-end secure setup (legacy) |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning Workspace |
This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging |
Azure Storage Account Encryption with customer-managed key |
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault. |
Connect to a Key Vault via private endpoint |
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint. |
Create a Key Vault and a list of secrets |
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters |
Create a KeyVault |
This module creates a KeyVault resource with apiVersion 2019-09-01. |
Create a new encrypted windows vm from gallery image |
This template creates a new encrypted windows vm using the server 2k12 gallery image. |
Create a Private AKS Cluster with a Public DNS Zone |
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. |
Create AML workspace with multiple Datasets & Datastores |
This template creates Azure Machine Learning workspace with multiple datasets & datastores. |
Create an AKS compute target with a Private IP address |
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address. |
Create an API Management service with SSL from KeyVault |
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours. |
Create an Application Gateway V2 with Key Vault |
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway. |
Create an Azure Key Vault and a secret |
This template creates an Azure Key Vault and a secret. |
Create an Azure Key Vault with RBAC and a secret |
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets |
Create an Azure Machine Learning service workspace |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. |
Create an Azure Machine Learning service workspace (CMK) |
This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys. |
Create an Azure Machine Learning service workspace (CMK) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key. |
Create an Azure Machine Learning service workspace (legacy) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
Create an Azure Machine Learning service workspace (vnet) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
Create and encrypt a new Windows VMSS with jumpbox |
This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of serveral Windows versions. This template also deploys a jumpbox with a public IP address in the same virtual network. You can connect to the jumpbox via this public IP address, then connect from there to VMs in the scale set via private IP addresses.This template enables encryption on the VM Scale Set of Windows VMs. |
Create Application Gateway with Certificates |
This template shows how to generate Key Vault self-signed certificates, then reference from Application Gateway. |
Create Key Vault with logging enabled |
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources. |
Create key vault, managed identity, and role assignment |
This template creates a key vault, managed identity, and role assignment. |
Create new encrypted managed disks win-vm from gallery image |
This template creates a new encrypted managed disks windows vm using the server 2k12 gallery image. |
Creates a Cross-tenant Private Endpoint resource |
This template allows you to create Priavate Endpoint resource within the same or cross-tenant environment and add dns zone configuration. |
Creates a Dapr pub-sub servicebus app using Container Apps |
Create a Dapr pub-sub servicebus app using Container Apps. |
creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP |
creates an Azure Stack HCI 23H2 cluster |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
creates an Azure Stack HCI 23H2 cluster in Switchless-Dual-link Networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
creates an Azure Stack HCI 23H2 cluster in Switchless-SingleLink networking mode |
This template creates an Azure Stack HCI 23H2 cluster using an ARM template. |
Deploy Secure Azure AI Studio with a managed virtual network |
This template creates a secure Azure AI Studio environment with robust network and identity security restrictions. |
Deploy the Sports Analytics on Azure Architecture |
Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role. |
Enable encryption on a running Windows VM |
This template enables encryption on a running windows vm. |
FinOps hub |
This template creates a new FinOps hub instance, including Data Lake storage and a Data Factory. |
Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
This template encrypts a running Windows VMSS |
This template enables encryption on a running Windows VM Scale Set |
upgrades an Azure Stack HCI 22H2 cluster to 23H2 cluster |
This template upgrades an Azure Stack HCI 22H2 cluster to 23H2 cluster using an ARM template. |
Terraform (AzAPI provider) resource definition
The vaults resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KeyVault/vaults@2021-10-01"
name = "string"
location = "string"
tags = {
{customized property} = "string"
}
body = jsonencode({
properties = {
accessPolicies = [
{
applicationId = "string"
objectId = "string"
permissions = {
certificates = [
"string"
]
keys = [
"string"
]
secrets = [
"string"
]
storage = [
"string"
]
}
tenantId = "string"
}
]
createMode = "string"
enabledForDeployment = bool
enabledForDiskEncryption = bool
enabledForTemplateDeployment = bool
enablePurgeProtection = bool
enableRbacAuthorization = bool
enableSoftDelete = bool
networkAcls = {
bypass = "string"
defaultAction = "string"
ipRules = [
{
value = "string"
}
]
virtualNetworkRules = [
{
id = "string"
ignoreMissingVnetServiceEndpoint = bool
}
]
}
provisioningState = "string"
publicNetworkAccess = "string"
sku = {
family = "string"
name = "string"
}
softDeleteRetentionInDays = int
tenantId = "string"
vaultUri = "string"
}
})
}
Property values
AccessPolicyEntry
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
IPRule
Name | Description | Value |
---|---|---|
value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). | string (required) |
Microsoft.KeyVault/vaults
Name | Description | Value |
---|---|---|
location | The supported Azure location where the key vault should be created. | string (required) |
name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{3,24}$ (required) |
properties | Properties of the vault | VaultProperties (required) |
tags | Resource tags | Dictionary of tag names and values. |
type | The resource type | "Microsoft.KeyVault/vaults@2021-10-01" |
NetworkRuleSet
Name | Description | Value |
---|---|---|
bypass | Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. | 'AzureServices' 'None' |
defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | 'Allow' 'Deny' |
ipRules | The list of IP address rules. | IPRule[] |
virtualNetworkRules | The list of virtual network rules. | VirtualNetworkRule[] |
Permissions
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: 'all' 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
keys | Permissions to keys | String array containing any of: 'all' 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'import' 'list' 'purge' 'recover' 'restore' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
secrets | Permissions to secrets | String array containing any of: 'all' 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
storage | Permissions to storage accounts | String array containing any of: 'all' 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
Sku
Name | Description | Value |
---|---|---|
family | SKU family name | 'A' (required) |
name | SKU name to specify whether the key vault is a standard vault or a premium vault. | 'premium' 'standard' (required) |
VaultCreateOrUpdateParametersTags
Name | Description | Value |
---|
VaultProperties
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover , access policies are not required. Otherwise, access policies are required. |
AccessPolicyEntry[] |
createMode | The vault's create mode to indicate whether the vault need to be recovered or not. | 'default' 'recover' |
enabledForDeployment | Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool |
enabledForDiskEncryption | Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
enabledForTemplateDeployment | Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool |
enablePurgeProtection | Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. | bool |
enableRbacAuthorization | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | bool |
enableSoftDelete | Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. | bool |
networkAcls | Rules governing the accessibility of the key vault from specific network locations. | NetworkRuleSet |
provisioningState | Provisioning state of the vault. | 'RegisteringDns' 'Succeeded' |
publicNetworkAccess | Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. | string |
sku | SKU details | Sku (required) |
softDeleteRetentionInDays | softDelete data retention days. It accepts >=7 and <=90. | int |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
vaultUri | The URI of the vault for performing operations on keys and secrets. | string |
VirtualNetworkRule
Name | Description | Value |
---|---|---|
id | Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. | string (required) |
ignoreMissingVnetServiceEndpoint | Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. | bool |