Microsoft.KeyVault vaults/secrets 2021-10-01

Remarks

For guidance on using key vaults for secure values, see Manage secrets by using Bicep.

For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.

For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.

Bicep resource definition

The vaults/secrets resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/secrets resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.KeyVault/vaults/secrets@2021-10-01' = {
  parent: resourceSymbolicName
  name: 'string'
  properties: {
    attributes: {
      enabled: bool
      exp: int
      nbf: int
    }
    contentType: 'string'
    value: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

Microsoft.KeyVault/vaults/secrets

Name Description Value
name The resource name string

Constraints:
Pattern = ^[a-zA-Z0-9-]{1,127}$ (required)
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
Symbolic name for resource of type: vaults
properties Properties of the secret SecretProperties (required)
tags Resource tags Dictionary of tag names and values. See Tags in templates

SecretAttributes

Name Description Value
enabled Determines whether the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int

SecretCreateOrUpdateParametersTags

Name Description Value

SecretProperties

Name Description Value
attributes The attributes of the secret. SecretAttributes
contentType The content type of the secret. string
value The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. string

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Application Gateway with internal API Management and Web App Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.
Azure Function app and an HTTP-triggered function This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key.
Create a Key Vault and a list of secrets This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create an API Management service with SSL from KeyVault This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Create an Azure Key Vault and a secret This template creates an Azure Key Vault and a secret.
Create an Azure Key Vault with RBAC and a secret This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets
FinOps hub This template creates a new FinOps hub instance, including Data Lake storage and a Data Factory.
Testing environment for Azure Firewall Premium This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering

ARM template resource definition

The vaults/secrets resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/secrets resource, add the following JSON to your template.

{
  "type": "Microsoft.KeyVault/vaults/secrets",
  "apiVersion": "2021-10-01",
  "name": "string",
  "properties": {
    "attributes": {
      "enabled": "bool",
      "exp": "int",
      "nbf": "int"
    },
    "contentType": "string",
    "value": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

Microsoft.KeyVault/vaults/secrets

Name Description Value
apiVersion The api version '2021-10-01'
name The resource name string

Constraints:
Pattern = ^[a-zA-Z0-9-]{1,127}$ (required)
properties Properties of the secret SecretProperties (required)
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.KeyVault/vaults/secrets'

SecretAttributes

Name Description Value
enabled Determines whether the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int

SecretCreateOrUpdateParametersTags

Name Description Value

SecretProperties

Name Description Value
attributes The attributes of the secret. SecretAttributes
contentType The content type of the secret. string
value The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Application Gateway with internal API Management and Web App

Deploy to Azure
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.
Azure Function app and an HTTP-triggered function

Deploy to Azure
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key.
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Create a Key Vault and a list of secrets

Deploy to Azure
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Create an Application Gateway V2 with Key Vault

Deploy to Azure
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway.
Create an Azure Key Vault and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret.
Create an Azure Key Vault with RBAC and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets
Create Azure Maps SAS token stored in an Azure Key Vault

Deploy to Azure
This template deploys and Azure Maps account and lists a Sas token based on the provided User Assigned identity to be stored in an Azure Key Vault secret.
Create ssh-keys and store in KeyVault

Deploy to Azure
This template uses the deploymentScript resource to generate ssh keys and stores the private key in keyVault.
creates an Azure Stack HCI 23H2 cluster

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP
creates an Azure Stack HCI 23H2 cluster

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
creates an Azure Stack HCI 23H2 cluster in Switchless-Dual-link Networking mode

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
creates an Azure Stack HCI 23H2 cluster in Switchless-SingleLink networking mode

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
FinOps hub

Deploy to Azure
This template creates a new FinOps hub instance, including Data Lake storage and a Data Factory.
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
upgrades an Azure Stack HCI 22H2 cluster to 23H2 cluster

Deploy to Azure
This template upgrades an Azure Stack HCI 22H2 cluster to 23H2 cluster using an ARM template.

Terraform (AzAPI provider) resource definition

The vaults/secrets resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults/secrets resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.KeyVault/vaults/secrets@2021-10-01"
  name = "string"
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    properties = {
      attributes = {
        enabled = bool
        exp = int
        nbf = int
      }
      contentType = "string"
      value = "string"
    }
  })
}

Property values

Microsoft.KeyVault/vaults/secrets

Name Description Value
name The resource name string

Constraints:
Pattern = ^[a-zA-Z0-9-]{1,127}$ (required)
parent_id The ID of the resource that is the parent for this resource. ID for resource of type: vaults
properties Properties of the secret SecretProperties (required)
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.KeyVault/vaults/secrets@2021-10-01"

SecretAttributes

Name Description Value
enabled Determines whether the object is enabled. bool
exp Expiry date in seconds since 1970-01-01T00:00:00Z. int
nbf Not before date in seconds since 1970-01-01T00:00:00Z. int

SecretCreateOrUpdateParametersTags

Name Description Value

SecretProperties

Name Description Value
attributes The attributes of the secret. SecretAttributes
contentType The content type of the secret. string
value The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets. string