Microsoft.KeyVault vaults/accessPolicies 2019-09-01

Bicep resource definition

The vaults/accessPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
  parent: resourceSymbolicName
  name: 'string'
  properties: {
    accessPolicies: [
      {
        applicationId: 'string'
        objectId: 'string'
        permissions: {
          certificates: [
            'string'
          ]
          keys: [
            'string'
          ]
          secrets: [
            'string'
          ]
          storage: [
            'string'
          ]
        }
        tenantId: 'string'
      }
    ]
  }
}

Property values

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required)

Microsoft.KeyVault/vaults/accessPolicies

Name Description Value
name The resource name 'add'
'remove'
'replace' (required)
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
Symbolic name for resource of type: vaults
properties Properties of the access policy VaultAccessPolicyProperties (required)

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
'all'
'backup'
'create'
'delete'
'deleteissuers'
'get'
'getissuers'
'import'
'list'
'listissuers'
'managecontacts'
'manageissuers'
'purge'
'recover'
'restore'
'setissuers'
'update'
keys Permissions to keys String array containing any of:
'all'
'backup'
'create'
'decrypt'
'delete'
'encrypt'
'get'
'import'
'list'
'purge'
'recover'
'restore'
'sign'
'unwrapKey'
'update'
'verify'
'wrapKey'
secrets Permissions to secrets String array containing any of:
'all'
'backup'
'delete'
'get'
'list'
'purge'
'recover'
'restore'
'set'
storage Permissions to storage accounts String array containing any of:
'all'
'backup'
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'purge'
'recover'
'regeneratekey'
'restore'
'set'
'setsas'
'update'

VaultAccessPolicyProperties

Name Description Value
accessPolicies An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. AccessPolicyEntry[] (required)

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Deploy an Azure Databricks Workspace with all 3 forms of CMK This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption.
Deploy an Azure Databricks Workspace with Managed Disks CMK This template allows you to create an Azure Databricks workspace with Managed Disks CMK.
Deploy an Azure Databricks WS with CMK for DBFS encryption This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption
Deploy Azure Databricks Workspace with Managed Services CMK This template allows you to create an Azure Databricks workspace with Managed Services CMK.
FinOps hub This template creates a new FinOps hub instance, including Data Lake storage and a Data Factory.

ARM template resource definition

The vaults/accessPolicies resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following JSON to your template.

{
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "apiVersion": "2019-09-01",
  "name": "string",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": "string",
        "objectId": "string",
        "permissions": {
          "certificates": [ "string" ],
          "keys": [ "string" ],
          "secrets": [ "string" ],
          "storage": [ "string" ]
        },
        "tenantId": "string"
      }
    ]
  }
}

Property values

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required)

Microsoft.KeyVault/vaults/accessPolicies

Name Description Value
apiVersion The api version '2019-09-01'
name The resource name 'add'
'remove'
'replace' (required)
properties Properties of the access policy VaultAccessPolicyProperties (required)
type The resource type 'Microsoft.KeyVault/vaults/accessPolicies'

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
'all'
'backup'
'create'
'delete'
'deleteissuers'
'get'
'getissuers'
'import'
'list'
'listissuers'
'managecontacts'
'manageissuers'
'purge'
'recover'
'restore'
'setissuers'
'update'
keys Permissions to keys String array containing any of:
'all'
'backup'
'create'
'decrypt'
'delete'
'encrypt'
'get'
'import'
'list'
'purge'
'recover'
'restore'
'sign'
'unwrapKey'
'update'
'verify'
'wrapKey'
secrets Permissions to secrets String array containing any of:
'all'
'backup'
'delete'
'get'
'list'
'purge'
'recover'
'restore'
'set'
storage Permissions to storage accounts String array containing any of:
'all'
'backup'
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'purge'
'recover'
'regeneratekey'
'restore'
'set'
'setsas'
'update'

VaultAccessPolicyProperties

Name Description Value
accessPolicies An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. AccessPolicyEntry[] (required)

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Add KeyVault Access Policy

Deploy to Azure
Add an access policy to an existing KeyVault without removing existing policies.
AzureDatabricks Template with Default Storage Firewall

Deploy to Azure
This template allows you to create an Default Storage Firewall enabled Azure Databricks workspace with Privateendpoint, all three forms of CMK, and User-Assigned Access Connector.
Create an Azure SQL Server, with data encryption protector

Deploy to Azure
This template creates an Azure SQL server, activates the data encryption protector using a given key stored in a given Key Vault
Deploy an Azure Databricks Workspace with all 3 forms of CMK

Deploy to Azure
This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption.
Deploy an Azure Databricks Workspace with Managed Disks CMK

Deploy to Azure
This template allows you to create an Azure Databricks workspace with Managed Disks CMK.
Deploy an Azure Databricks Workspace with PE,CMK all forms

Deploy to Azure
This template allows you to create an Azure Databricks workspace with PrivateEndpoint and managed services and CMK with DBFS encryption.
Deploy an Azure Databricks WS with CMK for DBFS encryption

Deploy to Azure
This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption
Deploy Azure Databricks Workspace with Managed Services CMK

Deploy to Azure
This template allows you to create an Azure Databricks workspace with Managed Services CMK.
Deploy Data Lake Store account with encryption(Key Vault)

Deploy to Azure
This template allows you to deploy an Azure Data Lake Store account with data encryption enabled. This account uses Azure Key Vault to manage the encryption key.
FinOps hub

Deploy to Azure
This template creates a new FinOps hub instance, including Data Lake storage and a Data Factory.
User assigned identity role assignment template

Deploy to Azure
A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on

Terraform (AzAPI provider) resource definition

The vaults/accessPolicies resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.KeyVault/vaults/accessPolicies@2019-09-01"
  name = "string"
  body = jsonencode({
    properties = {
      accessPolicies = [
        {
          applicationId = "string"
          objectId = "string"
          permissions = {
            certificates = [
              "string"
            ]
            keys = [
              "string"
            ]
            secrets = [
              "string"
            ]
            storage = [
              "string"
            ]
          }
          tenantId = "string"
        }
      ]
    }
  })
}

Property values

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required)

Microsoft.KeyVault/vaults/accessPolicies

Name Description Value
name The resource name 'add'
'remove'
'replace' (required)
parent_id The ID of the resource that is the parent for this resource. ID for resource of type: vaults
properties Properties of the access policy VaultAccessPolicyProperties (required)
type The resource type "Microsoft.KeyVault/vaults/accessPolicies@2019-09-01"

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
'all'
'backup'
'create'
'delete'
'deleteissuers'
'get'
'getissuers'
'import'
'list'
'listissuers'
'managecontacts'
'manageissuers'
'purge'
'recover'
'restore'
'setissuers'
'update'
keys Permissions to keys String array containing any of:
'all'
'backup'
'create'
'decrypt'
'delete'
'encrypt'
'get'
'import'
'list'
'purge'
'recover'
'restore'
'sign'
'unwrapKey'
'update'
'verify'
'wrapKey'
secrets Permissions to secrets String array containing any of:
'all'
'backup'
'delete'
'get'
'list'
'purge'
'recover'
'restore'
'set'
storage Permissions to storage accounts String array containing any of:
'all'
'backup'
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'purge'
'recover'
'regeneratekey'
'restore'
'set'
'setsas'
'update'

VaultAccessPolicyProperties

Name Description Value
accessPolicies An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. AccessPolicyEntry[] (required)