Microsoft.KeyVault vaults/accessPolicies 2021-04-01-preview
Bicep resource definition
The vaults/accessPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KeyVault/vaults/accessPolicies@2021-04-01-preview' = {
parent: resourceSymbolicName
name: 'string'
properties: {
accessPolicies: [
{
applicationId: 'string'
objectId: 'string'
permissions: {
certificates: [
'string'
]
keys: [
'string'
]
secrets: [
'string'
]
storage: [
'string'
]
}
tenantId: 'string'
}
]
}
}
Property values
AccessPolicyEntry
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
Microsoft.KeyVault/vaults/accessPolicies
Name | Description | Value |
---|---|---|
name | The resource name | 'add' 'remove' 'replace' (required) |
parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: vaults |
properties | Properties of the access policy | VaultAccessPolicyProperties (required) |
Permissions
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
keys | Permissions to keys | String array containing any of: 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'import' 'list' 'purge' 'recover' 'release' 'restore' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
secrets | Permissions to secrets | String array containing any of: 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
storage | Permissions to storage accounts | String array containing any of: 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
VaultAccessPolicyProperties
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | AccessPolicyEntry[] (required) |
Quickstart samples
The following quickstart samples deploy this resource type.
Bicep File | Description |
---|---|
Deploy an Azure Databricks Workspace with all 3 forms of CMK | This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption. |
Deploy an Azure Databricks Workspace with Managed Disks CMK | This template allows you to create an Azure Databricks workspace with Managed Disks CMK. |
Deploy an Azure Databricks WS with CMK for DBFS encryption | This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption |
Deploy Azure Databricks Workspace with Managed Services CMK | This template allows you to create an Azure Databricks workspace with Managed Services CMK. |
FinOps hub | This template creates a new FinOps hub instance, including Data Lake storage and a Data Factory. |
ARM template resource definition
The vaults/accessPolicies resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following JSON to your template.
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2021-04-01-preview",
"name": "string",
"properties": {
"accessPolicies": [
{
"applicationId": "string",
"objectId": "string",
"permissions": {
"certificates": [ "string" ],
"keys": [ "string" ],
"secrets": [ "string" ],
"storage": [ "string" ]
},
"tenantId": "string"
}
]
}
}
Property values
AccessPolicyEntry
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
Microsoft.KeyVault/vaults/accessPolicies
Name | Description | Value |
---|---|---|
apiVersion | The api version | '2021-04-01-preview' |
name | The resource name | 'add' 'remove' 'replace' (required) |
properties | Properties of the access policy | VaultAccessPolicyProperties (required) |
type | The resource type | 'Microsoft.KeyVault/vaults/accessPolicies' |
Permissions
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
keys | Permissions to keys | String array containing any of: 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'import' 'list' 'purge' 'recover' 'release' 'restore' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
secrets | Permissions to secrets | String array containing any of: 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
storage | Permissions to storage accounts | String array containing any of: 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
VaultAccessPolicyProperties
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | AccessPolicyEntry[] (required) |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Add KeyVault Access Policy |
Add an access policy to an existing KeyVault without removing existing policies. |
AzureDatabricks Template with Default Storage Firewall |
This template allows you to create an Default Storage Firewall enabled Azure Databricks workspace with Privateendpoint, all three forms of CMK, and User-Assigned Access Connector. |
Create an Azure SQL Server, with data encryption protector |
This template creates an Azure SQL server, activates the data encryption protector using a given key stored in a given Key Vault |
Deploy an Azure Databricks Workspace with all 3 forms of CMK |
This template allows you to create an Azure Databricks workspace with managed services and CMK with DBFS encryption. |
Deploy an Azure Databricks Workspace with Managed Disks CMK |
This template allows you to create an Azure Databricks workspace with Managed Disks CMK. |
Deploy an Azure Databricks Workspace with PE,CMK all forms |
This template allows you to create an Azure Databricks workspace with PrivateEndpoint and managed services and CMK with DBFS encryption. |
Deploy an Azure Databricks WS with CMK for DBFS encryption |
This template allows you to create an Azure Databricks workspace with CMK for DBFS root encryption |
Deploy Azure Databricks Workspace with Managed Services CMK |
This template allows you to create an Azure Databricks workspace with Managed Services CMK. |
Deploy Data Lake Store account with encryption(Key Vault) |
This template allows you to deploy an Azure Data Lake Store account with data encryption enabled. This account uses Azure Key Vault to manage the encryption key. |
FinOps hub |
This template creates a new FinOps hub instance, including Data Lake storage and a Data Factory. |
User assigned identity role assignment template |
A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on |
Terraform (AzAPI provider) resource definition
The vaults/accessPolicies resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/accessPolicies resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KeyVault/vaults/accessPolicies@2021-04-01-preview"
name = "string"
body = jsonencode({
properties = {
accessPolicies = [
{
applicationId = "string"
objectId = "string"
permissions = {
certificates = [
"string"
]
keys = [
"string"
]
secrets = [
"string"
]
storage = [
"string"
]
}
tenantId = "string"
}
]
}
})
}
Property values
AccessPolicyEntry
Name | Description | Value |
---|---|---|
applicationId | Application ID of the client making request on behalf of a principal | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string (required) |
permissions | Permissions the identity has for keys, secrets and certificates. | Permissions (required) |
tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ (required) |
Microsoft.KeyVault/vaults/accessPolicies
Name | Description | Value |
---|---|---|
name | The resource name | 'add' 'remove' 'replace' (required) |
parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: vaults |
properties | Properties of the access policy | VaultAccessPolicyProperties (required) |
type | The resource type | "Microsoft.KeyVault/vaults/accessPolicies@2021-04-01-preview" |
Permissions
Name | Description | Value |
---|---|---|
certificates | Permissions to certificates | String array containing any of: 'backup' 'create' 'delete' 'deleteissuers' 'get' 'getissuers' 'import' 'list' 'listissuers' 'managecontacts' 'manageissuers' 'purge' 'recover' 'restore' 'setissuers' 'update' |
keys | Permissions to keys | String array containing any of: 'backup' 'create' 'decrypt' 'delete' 'encrypt' 'get' 'import' 'list' 'purge' 'recover' 'release' 'restore' 'sign' 'unwrapKey' 'update' 'verify' 'wrapKey' |
secrets | Permissions to secrets | String array containing any of: 'backup' 'delete' 'get' 'list' 'purge' 'recover' 'restore' 'set' |
storage | Permissions to storage accounts | String array containing any of: 'backup' 'delete' 'deletesas' 'get' 'getsas' 'list' 'listsas' 'purge' 'recover' 'regeneratekey' 'restore' 'set' 'setsas' 'update' |
VaultAccessPolicyProperties
Name | Description | Value |
---|---|---|
accessPolicies | An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. | AccessPolicyEntry[] (required) |