1. Docs
  2. Reference
  3. API
  4. @pulumi/azure
  5. keyvault

Module keyvault

This page documents the language specification for the azure package. If you're looking for help working with the inputs, outputs, or functions of azure resources in a Pulumi program, please see the resource documentation for examples and API reference.

Resources

Functions

Others

Resources

Resource AccessPolicy

class AccessPolicy extends CustomResource

Manages a Key Vault Access Policy.

NOTE: It’s possible to define Key Vault Access Policies both within the azure.keyvault.KeyVault resource via the accessPolicy block and by using the azure.keyvault.AccessPolicy resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.

NOTE: Azure permits a maximum of 1024 Access Policies per Key Vault - more information can be found in this document.

constructor

new AccessPolicy(name: string, args: AccessPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a AccessPolicy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccessPolicyState, opts?: pulumi.CustomResourceOptions): AccessPolicy

Get an existing AccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AccessPolicy

Returns true if the given object is an instance of AccessPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property applicationId

public applicationId: pulumi.Output<string | undefined>;

The object ID of an Application in Azure Active Directory.

property certificatePermissions

public certificatePermissions: pulumi.Output<string[] | undefined>;

List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyPermissions

public keyPermissions: pulumi.Output<string[] | undefined>;

List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey.

property keyVaultId

public keyVaultId: pulumi.Output<string>;

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

property objectId

public objectId: pulumi.Output<string>;

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

property secretPermissions

public secretPermissions: pulumi.Output<string[] | undefined>;

List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set.

property storagePermissions

public storagePermissions: pulumi.Output<string[] | undefined>;

List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update.

property tenantId

public tenantId: pulumi.Output<string>;

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Certifiate

DEPRECATED azure.keyvault.Certifiate has been deprecated in favor of azure.keyvault.Certificate
class Certifiate extends CustomResource
Manages a Key Vault Certificate. #### Example Usage ##### Generating A New Certificate) ```typescript import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure"; const current = azure.core.getClientConfig({}); const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"}); const exampleKeyVault = new azure.keyvault.KeyVault("exampleKeyVault", { location: exampleResourceGroup.location, resourceGroupName: exampleResourceGroup.name, tenantId: current.then(current => current.tenantId), skuName: "standard", access_policy: [{ tenantId: current.then(current => current.tenantId), objectId: current.then(current => current.objectId), certificatePermissions: [ "create", "delete", "deleteissuers", "get", "getissuers", "import", "list", "listissuers", "managecontacts", "manageissuers", "setissuers", "update", ], keyPermissions: [ "backup", "create", "decrypt", "delete", "encrypt", "get", "import", "list", "purge", "recover", "restore", "sign", "unwrapKey", "update", "verify", "wrapKey", ], secretPermissions: [ "backup", "delete", "get", "list", "purge", "recover", "restore", "set", ], }], tags: { environment: "Production", }, }); const exampleCertificate = new azure.keyvault.Certificate("exampleCertificate", { keyVaultId: exampleKeyVault.id, certificate_policy: { issuer_parameters: { name: "Self", }, key_properties: { exportable: true, keySize: 2048, keyType: "RSA", reuseKey: true, }, lifetime_action: [{ action: { actionType: "AutoRenew", }, trigger: { daysBeforeExpiry: 30, }, }], secret_properties: { contentType: "application/x-pkcs12", }, x509_certificate_properties: { extendedKeyUsages: ["1.3.6.1.5.5.7.3.1"], keyUsages: [ "cRLSign", "dataEncipherment", "digitalSignature", "keyAgreement", "keyCertSign", "keyEncipherment", ], subject_alternative_names: { dnsNames: [ "internal.contoso.com", "domain.hello.world", ], }, subject: "CN=hello-world", validityInMonths: 12, }, }, }); ```

constructor

DEPRECATED azure.keyvault.Certifiate has been deprecated in favor of azure.keyvault.Certificate

DEPRECATED azure.keyvault.Certifiate has been deprecated in favor of azure.keyvault.Certificate
new Certifiate(name: string, args: CertifiateArgs, opts?: pulumi.CustomResourceOptions)

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CertifiateState, opts?: pulumi.CustomResourceOptions): Certifiate

Get an existing Certifiate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Certifiate

Returns true if the given object is an instance of Certifiate. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property certificate

public certificate: pulumi.Output<CertifiateCertificate | undefined>;

A certificate block as defined below, used to Import an existing certificate.

property certificateData

public certificateData: pulumi.Output<string>;

The raw Key Vault Certificate data represented as a hexadecimal string.

property certificatePolicy

public certificatePolicy: pulumi.Output<CertifiateCertificatePolicy>;

A certificatePolicy block as defined below.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyVaultId

public keyVaultId: pulumi.Output<string>;

The ID of the Key Vault where the Certificate should be created.

property name

public name: pulumi.Output<string>;

Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

property secretId

public secretId: pulumi.Output<string>;

The ID of the associated Key Vault Secret.

property tags

public tags: pulumi.Output<{[key: string]: string} | undefined>;

A mapping of tags to assign to the resource.

property thumbprint

public thumbprint: pulumi.Output<string>;

The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property version

public version: pulumi.Output<string>;

The current version of the Key Vault Certificate.

Resource Certificate

class Certificate extends CustomResource

Manages a Key Vault Certificate.

Example Usage

Generating A New Certificate)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const current = azure.core.getClientConfig({});
const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleKeyVault = new azure.keyvault.KeyVault("exampleKeyVault", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    tenantId: current.then(current => current.tenantId),
    skuName: "standard",
    access_policy: [{
        tenantId: current.then(current => current.tenantId),
        objectId: current.then(current => current.objectId),
        certificatePermissions: [
            "create",
            "delete",
            "deleteissuers",
            "get",
            "getissuers",
            "import",
            "list",
            "listissuers",
            "managecontacts",
            "manageissuers",
            "setissuers",
            "update",
        ],
        keyPermissions: [
            "backup",
            "create",
            "decrypt",
            "delete",
            "encrypt",
            "get",
            "import",
            "list",
            "purge",
            "recover",
            "restore",
            "sign",
            "unwrapKey",
            "update",
            "verify",
            "wrapKey",
        ],
        secretPermissions: [
            "backup",
            "delete",
            "get",
            "list",
            "purge",
            "recover",
            "restore",
            "set",
        ],
    }],
    tags: {
        environment: "Production",
    },
});
const exampleCertificate = new azure.keyvault.Certificate("exampleCertificate", {
    keyVaultId: exampleKeyVault.id,
    certificate_policy: {
        issuer_parameters: {
            name: "Self",
        },
        key_properties: {
            exportable: true,
            keySize: 2048,
            keyType: "RSA",
            reuseKey: true,
        },
        lifetime_action: [{
            action: {
                actionType: "AutoRenew",
            },
            trigger: {
                daysBeforeExpiry: 30,
            },
        }],
        secret_properties: {
            contentType: "application/x-pkcs12",
        },
        x509_certificate_properties: {
            extendedKeyUsages: ["1.3.6.1.5.5.7.3.1"],
            keyUsages: [
                "cRLSign",
                "dataEncipherment",
                "digitalSignature",
                "keyAgreement",
                "keyCertSign",
                "keyEncipherment",
            ],
            subject_alternative_names: {
                dnsNames: [
                    "internal.contoso.com",
                    "domain.hello.world",
                ],
            },
            subject: "CN=hello-world",
            validityInMonths: 12,
        },
    },
});

constructor

new Certificate(name: string, args: CertificateArgs, opts?: pulumi.CustomResourceOptions)

Create a Certificate resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CertificateState, opts?: pulumi.CustomResourceOptions): Certificate

Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Certificate

Returns true if the given object is an instance of Certificate. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property certificate

public certificate: pulumi.Output<CertificateCertificate | undefined>;

A certificate block as defined below, used to Import an existing certificate.

property certificateData

public certificateData: pulumi.Output<string>;

The raw Key Vault Certificate data represented as a hexadecimal string.

property certificatePolicy

public certificatePolicy: pulumi.Output<CertificateCertificatePolicy>;

A certificatePolicy block as defined below.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyVaultId

public keyVaultId: pulumi.Output<string>;

The ID of the Key Vault where the Certificate should be created.

property name

public name: pulumi.Output<string>;

Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

property secretId

public secretId: pulumi.Output<string>;

The ID of the associated Key Vault Secret.

property tags

public tags: pulumi.Output<{[key: string]: string} | undefined>;

A mapping of tags to assign to the resource.

property thumbprint

public thumbprint: pulumi.Output<string>;

The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property version

public version: pulumi.Output<string>;

The current version of the Key Vault Certificate.

Resource Key

class Key extends CustomResource

Manages a Key Vault Key.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
import * as random from "@pulumi/random";

const current = azure.core.getClientConfig({});
const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West US"});
const server = new random.RandomId("server", {
    keepers: {
        ami_id: 1,
    },
    byteLength: 8,
});
const exampleKeyVault = new azure.keyvault.KeyVault("exampleKeyVault", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    tenantId: current.then(current => current.tenantId),
    skuName: "premium",
    access_policy: [{
        tenantId: current.then(current => current.tenantId),
        objectId: current.then(current => current.objectId),
        keyPermissions: [
            "create",
            "get",
        ],
        secretPermissions: ["set"],
    }],
    tags: {
        environment: "Production",
    },
});
const generated = new azure.keyvault.Key("generated", {
    keyVaultId: exampleKeyVault.id,
    keyType: "RSA",
    keySize: 2048,
    keyOpts: [
        "decrypt",
        "encrypt",
        "sign",
        "unwrapKey",
        "verify",
        "wrapKey",
    ],
});

constructor

new Key(name: string, args: KeyArgs, opts?: pulumi.CustomResourceOptions)

Create a Key resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyState, opts?: pulumi.CustomResourceOptions): Key

Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Key

Returns true if the given object is an instance of Key. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property curve

public curve: pulumi.Output<string>;

Specifies the curve to use when creating an EC key. Possible values are P-256, P-384, P-521, and SECP256K1. This field will be required in a future release if keyType is EC or EC-HSM. The API will default to P-256 if nothing is specified. Changing this forces a new resource to be created.

property e

public e: pulumi.Output<string>;

The RSA public exponent of this Key Vault Key.

property expirationDate

public expirationDate: pulumi.Output<string | undefined>;

Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyOpts

public keyOpts: pulumi.Output<string[]>;

A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case sensitive.

property keySize

public keySize: pulumi.Output<number | undefined>;

Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if keyType is RSA or RSA-HSM. Changing this forces a new resource to be created.

property keyType

public keyType: pulumi.Output<string>;

Specifies the Key Type to use for this Key Vault Key. Possible values are EC (Elliptic Curve), EC-HSM, Oct (Octet), RSA and RSA-HSM. Changing this forces a new resource to be created.

property keyVaultId

public keyVaultId: pulumi.Output<string>;

The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created.

property n

public n: pulumi.Output<string>;

The RSA modulus of this Key Vault Key.

property name

public name: pulumi.Output<string>;

Specifies the name of the Key Vault Key. Changing this forces a new resource to be created.

property notBeforeDate

public notBeforeDate: pulumi.Output<string | undefined>;

Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

property tags

public tags: pulumi.Output<{[key: string]: string} | undefined>;

A mapping of tags to assign to the resource.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property version

public version: pulumi.Output<string>;

The current version of the Key Vault Key.

property x

public x: pulumi.Output<string>;

The EC X component of this Key Vault Key.

property y

public y: pulumi.Output<string>;

The EC Y component of this Key Vault Key.

Resource KeyVault

class KeyVault extends CustomResource

Manages a Key Vault.

Disclaimers

Note: It’s possible to define Key Vault Access Policies both within the azure.keyvault.KeyVault resource via the accessPolicy block and by using the azure.keyvault.AccessPolicy resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.

Note: This provi will automatically recover a soft-deleted Key Vault during Creation if one is found - you can opt out of this using the features configuration within the Provider configuration block.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const current = azure.core.getClientConfig({});
const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West US"});
const exampleKeyVault = new azure.keyvault.KeyVault("exampleKeyVault", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    enabledForDiskEncryption: true,
    tenantId: current.then(current => current.tenantId),
    softDeleteEnabled: true,
    purgeProtectionEnabled: false,
    skuName: "standard",
    access_policy: [{
        tenantId: current.then(current => current.tenantId),
        objectId: current.then(current => current.objectId),
        keyPermissions: ["get"],
        secretPermissions: ["get"],
        storagePermissions: ["get"],
    }],
    network_acls: {
        defaultAction: "Deny",
        bypass: "AzureServices",
    },
    tags: {
        environment: "Testing",
    },
});

constructor

new KeyVault(name: string, args: KeyVaultArgs, opts?: pulumi.CustomResourceOptions)

Create a KeyVault resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyVaultState, opts?: pulumi.CustomResourceOptions): KeyVault

Get an existing KeyVault resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is KeyVault

Returns true if the given object is an instance of KeyVault. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accessPolicies

public accessPolicies: pulumi.Output<KeyVaultAccessPolicy[]>;

A list of up to 16 objects describing access policies, as described below.

property enabledForDeployment

public enabledForDeployment: pulumi.Output<boolean | undefined>;

Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.

property enabledForDiskEncryption

public enabledForDiskEncryption: pulumi.Output<boolean | undefined>;

Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.

property enabledForTemplateDeployment

public enabledForTemplateDeployment: pulumi.Output<boolean | undefined>;

Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property location

public location: pulumi.Output<string>;

Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

property name

public name: pulumi.Output<string>;

Specifies the name of the Key Vault. Changing this forces a new resource to be created.

property networkAcls

public networkAcls: pulumi.Output<KeyVaultNetworkAcls>;

A networkAcls block as defined below.

property purgeProtectionEnabled

public purgeProtectionEnabled: pulumi.Output<boolean | undefined>;

Is Purge Protection enabled for this Key Vault? Defaults to false.

property resourceGroupName

public resourceGroupName: pulumi.Output<string>;

The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.

property skuName

public skuName: pulumi.Output<string>;

The Name of the SKU used for this Key Vault. Possible values are standard and premium.

property softDeleteEnabled

public softDeleteEnabled: pulumi.Output<boolean | undefined>;

Should Soft Delete be enabled for this Key Vault? Defaults to false.

property tags

public tags: pulumi.Output<{[key: string]: string} | undefined>;

A mapping of tags to assign to the resource.

property tenantId

public tenantId: pulumi.Output<string>;

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property vaultUri

public vaultUri: pulumi.Output<string>;

The URI of the Key Vault, used for performing operations on keys and secrets.

Resource Secret

class Secret extends CustomResource

Manages a Key Vault Secret.

constructor

new Secret(name: string, args: SecretArgs, opts?: pulumi.CustomResourceOptions)

Create a Secret resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretState, opts?: pulumi.CustomResourceOptions): Secret

Get an existing Secret resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Secret

Returns true if the given object is an instance of Secret. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property contentType

public contentType: pulumi.Output<string | undefined>;

Specifies the content type for the Key Vault Secret.

property expirationDate

public expirationDate: pulumi.Output<string | undefined>;

Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyVaultId

public keyVaultId: pulumi.Output<string>;

The ID of the Key Vault where the Secret should be created.

property name

public name: pulumi.Output<string>;

Specifies the name of the Key Vault Secret. Changing this forces a new resource to be created.

property notBeforeDate

public notBeforeDate: pulumi.Output<string | undefined>;

Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

property tags

public tags: pulumi.Output<{[key: string]: string} | undefined>;

A mapping of tags to assign to the resource.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property value

public value: pulumi.Output<string>;

Specifies the value of the Key Vault Secret.

property version

public version: pulumi.Output<string>;

The current version of the Key Vault Secret.

Functions

Function getAccessPolicy

getAccessPolicy(args: GetAccessPolicyArgs, opts?: pulumi.InvokeOptions): Promise<GetAccessPolicyResult>

Use this data source to access information about the permissions from the Management Key Vault Templates.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const contributor = azure.keyvault.getAccessPolicy({
    name: "Key Management",
});
export const accessPolicyKeyPermissions = contributor.then(contributor => contributor.keyPermissions);

Function getCertificate

getCertificate(args: GetCertificateArgs, opts?: pulumi.InvokeOptions): Promise<GetCertificateResult>

Use this data source to access information about an existing Key Vault Certificate.

Note: All arguments including the secret value will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const exampleKeyVault = azure.keyvault.getKeyVault({
    name: "examplekv",
    resourceGroupName: "some-resource-group",
});
const exampleCertificate = exampleKeyVault.then(exampleKeyVault => azure.keyvault.getCertificate({
    name: "secret-sauce",
    keyVaultId: exampleKeyVault.id,
}));
export const certificateThumbprint = exampleCertificate.then(exampleCertificate => exampleCertificate.thumbprint);

Function getKey

getKey(args: GetKeyArgs, opts?: pulumi.InvokeOptions): Promise<GetKeyResult>

Use this data source to access information about an existing Key Vault Key.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const example = azure.keyvault.getKey({
    name: "secret-sauce",
    keyVaultId: data.azurerm_key_vault.existing.id,
});
export const keyType = example.then(example => example.keyType);

Function getKeyVault

getKeyVault(args: GetKeyVaultArgs, opts?: pulumi.InvokeOptions): Promise<GetKeyVaultResult>

Use this data source to access information about an existing Key Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const example = azure.keyvault.getKeyVault({
    name: "mykeyvault",
    resourceGroupName: "some-resource-group",
});
export const vaultUri = example.then(example => example.vaultUri);

Function getSecret

getSecret(args: GetSecretArgs, opts?: pulumi.InvokeOptions): Promise<GetSecretResult>

Use this data source to access information about an existing Key Vault Secret.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const example = azure.keyvault.getSecret({
    name: "secret-sauce",
    keyVaultId: data.azurerm_key_vault.existing.id,
});
export const secretValue = example.then(example => example.value);

Others

interface AccessPolicyArgs

interface AccessPolicyArgs

The set of arguments for constructing a AccessPolicy resource.

property applicationId

applicationId?: pulumi.Input<string>;

The object ID of an Application in Azure Active Directory.

property certificatePermissions

certificatePermissions?: pulumi.Input<pulumi.Input<string>[]>;

List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update.

property keyPermissions

keyPermissions?: pulumi.Input<pulumi.Input<string>[]>;

List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey.

property keyVaultId

keyVaultId: pulumi.Input<string>;

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

property objectId

objectId: pulumi.Input<string>;

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

property secretPermissions

secretPermissions?: pulumi.Input<pulumi.Input<string>[]>;

List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set.

property storagePermissions

storagePermissions?: pulumi.Input<pulumi.Input<string>[]>;

List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update.

property tenantId

tenantId: pulumi.Input<string>;

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

interface AccessPolicyState

interface AccessPolicyState

Input properties used for looking up and filtering AccessPolicy resources.

property applicationId

applicationId?: pulumi.Input<string>;

The object ID of an Application in Azure Active Directory.

property certificatePermissions

certificatePermissions?: pulumi.Input<pulumi.Input<string>[]>;

List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update.

property keyPermissions

keyPermissions?: pulumi.Input<pulumi.Input<string>[]>;

List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey.

property keyVaultId

keyVaultId?: pulumi.Input<string>;

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

property objectId

objectId?: pulumi.Input<string>;

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

property secretPermissions

secretPermissions?: pulumi.Input<pulumi.Input<string>[]>;

List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set.

property storagePermissions

storagePermissions?: pulumi.Input<pulumi.Input<string>[]>;

List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update.

property tenantId

tenantId?: pulumi.Input<string>;

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

interface CertifiateArgs

interface CertifiateArgs

The set of arguments for constructing a Certifiate resource.

property certificate

certificate?: pulumi.Input<CertifiateCertificate>;

A certificate block as defined below, used to Import an existing certificate.

property certificatePolicy

certificatePolicy: pulumi.Input<CertifiateCertificatePolicy>;

A certificatePolicy block as defined below.

property keyVaultId

keyVaultId: pulumi.Input<string>;

The ID of the Key Vault where the Certificate should be created.

property name

name?: pulumi.Input<string>;

Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

interface CertifiateState

interface CertifiateState

Input properties used for looking up and filtering Certifiate resources.

property certificate

certificate?: pulumi.Input<CertifiateCertificate>;

A certificate block as defined below, used to Import an existing certificate.

property certificateData

certificateData?: pulumi.Input<string>;

The raw Key Vault Certificate data represented as a hexadecimal string.

property certificatePolicy

certificatePolicy?: pulumi.Input<CertifiateCertificatePolicy>;

A certificatePolicy block as defined below.

property keyVaultId

keyVaultId?: pulumi.Input<string>;

The ID of the Key Vault where the Certificate should be created.

property name

name?: pulumi.Input<string>;

Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

property secretId

secretId?: pulumi.Input<string>;

The ID of the associated Key Vault Secret.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

property thumbprint

thumbprint?: pulumi.Input<string>;

The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string.

property version

version?: pulumi.Input<string>;

The current version of the Key Vault Certificate.

interface CertificateArgs

interface CertificateArgs

The set of arguments for constructing a Certificate resource.

property certificate

certificate?: pulumi.Input<CertificateCertificate>;

A certificate block as defined below, used to Import an existing certificate.

property certificatePolicy

certificatePolicy: pulumi.Input<CertificateCertificatePolicy>;

A certificatePolicy block as defined below.

property keyVaultId

keyVaultId: pulumi.Input<string>;

The ID of the Key Vault where the Certificate should be created.

property name

name?: pulumi.Input<string>;

Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

interface CertificateState

interface CertificateState

Input properties used for looking up and filtering Certificate resources.

property certificate

certificate?: pulumi.Input<CertificateCertificate>;

A certificate block as defined below, used to Import an existing certificate.

property certificateData

certificateData?: pulumi.Input<string>;

The raw Key Vault Certificate data represented as a hexadecimal string.

property certificatePolicy

certificatePolicy?: pulumi.Input<CertificateCertificatePolicy>;

A certificatePolicy block as defined below.

property keyVaultId

keyVaultId?: pulumi.Input<string>;

The ID of the Key Vault where the Certificate should be created.

property name

name?: pulumi.Input<string>;

Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

property secretId

secretId?: pulumi.Input<string>;

The ID of the associated Key Vault Secret.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

property thumbprint

thumbprint?: pulumi.Input<string>;

The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string.

property version

version?: pulumi.Input<string>;

The current version of the Key Vault Certificate.

interface GetAccessPolicyArgs

interface GetAccessPolicyArgs

A collection of arguments for invoking getAccessPolicy.

property name

name: string;

Specifies the name of the Management Template. Possible values are: Key Management, Secret Management, Certificate Management, Key & Secret Management, Key & Certificate Management, Secret & Certificate Management, Key, Secret, & Certificate Management

interface GetAccessPolicyResult

interface GetAccessPolicyResult

A collection of values returned by getAccessPolicy.

property certificatePermissions

certificatePermissions: string[];

the certificate permissions for the access policy

property id

id: string;

The provider-assigned unique ID for this managed resource.

property keyPermissions

keyPermissions: string[];

the key permissions for the access policy

property name

name: string;

property secretPermissions

secretPermissions: string[];

the secret permissions for the access policy

interface GetCertificateArgs

interface GetCertificateArgs

A collection of arguments for invoking getCertificate.

property keyVaultId

keyVaultId: string;

Specifies the ID of the Key Vault instance where the Secret resides, available on the azure.keyvault.KeyVault Data Source / Resource.

property name

name: string;

Specifies the name of the Key Vault Secret.

property version

version?: undefined | string;

Specifies the version of the certificate to look up. (Defaults to latest)

interface GetCertificateResult

interface GetCertificateResult

A collection of values returned by getCertificate.

property certificateData

certificateData: string;

property certificatePolicies

certificatePolicies: GetCertificateCertificatePolicy[];

A certificatePolicy block as defined below.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property keyVaultId

keyVaultId: string;

property name

name: string;

The name of the Certificate Issuer.

property secretId

secretId: string;

property tags

tags: {[key: string]: string};

A mapping of tags to assign to the resource.

property thumbprint

thumbprint: string;

property version

version: string;

interface GetKeyArgs

interface GetKeyArgs

A collection of arguments for invoking getKey.

property keyVaultId

keyVaultId: string;

Specifies the ID of the Key Vault instance where the Secret resides, available on the azure.keyvault.KeyVault Data Source / Resource.

property name

name: string;

Specifies the name of the Key Vault Key.

interface GetKeyResult

interface GetKeyResult

A collection of values returned by getKey.

property e

e: string;

The RSA public exponent of this Key Vault Key.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property keyOpts

keyOpts: string[];

A list of JSON web key operations assigned to this Key Vault Key

property keySize

keySize: number;

Specifies the Size of this Key Vault Key.

property keyType

keyType: string;

Specifies the Key Type of this Key Vault Key

property keyVaultId

keyVaultId: string;

property n

n: string;

The RSA modulus of this Key Vault Key.

property name

name: string;

property tags

tags: {[key: string]: string};

A mapping of tags assigned to this Key Vault Key.

property version

version: string;

The current version of the Key Vault Key.

interface GetKeyVaultArgs

interface GetKeyVaultArgs

A collection of arguments for invoking getKeyVault.

property name

name: string;

Specifies the name of the Key Vault.

property resourceGroupName

resourceGroupName: string;

The name of the Resource Group in which the Key Vault exists.

interface GetKeyVaultResult

interface GetKeyVaultResult

A collection of values returned by getKeyVault.

property accessPolicies

accessPolicies: GetKeyVaultAccessPolicy[];

One or more accessPolicy blocks as defined below.

property enabledForDeployment

enabledForDeployment: boolean;

Can Azure Virtual Machines retrieve certificates stored as secrets from the Key Vault?

property enabledForDiskEncryption

enabledForDiskEncryption: boolean;

Can Azure Disk Encryption retrieve secrets from the Key Vault?

property enabledForTemplateDeployment

enabledForTemplateDeployment: boolean;

Can Azure Resource Manager retrieve secrets from the Key Vault?

property id

id: string;

The provider-assigned unique ID for this managed resource.

property location

location: string;

The Azure Region in which the Key Vault exists.

property name

name: string;

property networkAcls

networkAcls: GetKeyVaultNetworkAcl[];

property purgeProtectionEnabled

purgeProtectionEnabled: boolean;

Is purge protection enabled on this Key Vault?

property resourceGroupName

resourceGroupName: string;

property skuName

skuName: string;

The Name of the SKU used for this Key Vault.

property softDeleteEnabled

softDeleteEnabled: boolean;

Is soft delete enabled on this Key Vault?

property tags

tags: {[key: string]: string};

A mapping of tags assigned to the Key Vault.

property tenantId

tenantId: string;

The Azure Active Directory Tenant ID used to authenticate requests for this Key Vault.

property vaultUri

vaultUri: string;

The URI of the vault for performing operations on keys and secrets.

interface GetSecretArgs

interface GetSecretArgs

A collection of arguments for invoking getSecret.

property keyVaultId

keyVaultId: string;

Specifies the ID of the Key Vault instance where the Secret resides, available on the azure.keyvault.KeyVault Data Source / Resource.

property name

name: string;

Specifies the name of the Key Vault Secret.

interface GetSecretResult

interface GetSecretResult

A collection of values returned by getSecret.

property contentType

contentType: string;

The content type for the Key Vault Secret.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property keyVaultId

keyVaultId: string;

property name

name: string;

property tags

tags: {[key: string]: string};

Any tags assigned to this resource.

property value

value: string;

The value of the Key Vault Secret.

property version

version: string;

The current version of the Key Vault Secret.

interface KeyArgs

interface KeyArgs

The set of arguments for constructing a Key resource.

property curve

curve?: pulumi.Input<string>;

Specifies the curve to use when creating an EC key. Possible values are P-256, P-384, P-521, and SECP256K1. This field will be required in a future release if keyType is EC or EC-HSM. The API will default to P-256 if nothing is specified. Changing this forces a new resource to be created.

property expirationDate

expirationDate?: pulumi.Input<string>;

Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

property keyOpts

keyOpts: pulumi.Input<pulumi.Input<string>[]>;

A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case sensitive.

property keySize

keySize?: pulumi.Input<number>;

Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if keyType is RSA or RSA-HSM. Changing this forces a new resource to be created.

property keyType

keyType: pulumi.Input<string>;

Specifies the Key Type to use for this Key Vault Key. Possible values are EC (Elliptic Curve), EC-HSM, Oct (Octet), RSA and RSA-HSM. Changing this forces a new resource to be created.

property keyVaultId

keyVaultId: pulumi.Input<string>;

The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created.

property name

name?: pulumi.Input<string>;

Specifies the name of the Key Vault Key. Changing this forces a new resource to be created.

property notBeforeDate

notBeforeDate?: pulumi.Input<string>;

Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

interface KeyState

interface KeyState

Input properties used for looking up and filtering Key resources.

property curve

curve?: pulumi.Input<string>;

Specifies the curve to use when creating an EC key. Possible values are P-256, P-384, P-521, and SECP256K1. This field will be required in a future release if keyType is EC or EC-HSM. The API will default to P-256 if nothing is specified. Changing this forces a new resource to be created.

property e

e?: pulumi.Input<string>;

The RSA public exponent of this Key Vault Key.

property expirationDate

expirationDate?: pulumi.Input<string>;

Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

property keyOpts

keyOpts?: pulumi.Input<pulumi.Input<string>[]>;

A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case sensitive.

property keySize

keySize?: pulumi.Input<number>;

Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if keyType is RSA or RSA-HSM. Changing this forces a new resource to be created.

property keyType

keyType?: pulumi.Input<string>;

Specifies the Key Type to use for this Key Vault Key. Possible values are EC (Elliptic Curve), EC-HSM, Oct (Octet), RSA and RSA-HSM. Changing this forces a new resource to be created.

property keyVaultId

keyVaultId?: pulumi.Input<string>;

The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created.

property n

n?: pulumi.Input<string>;

The RSA modulus of this Key Vault Key.

property name

name?: pulumi.Input<string>;

Specifies the name of the Key Vault Key. Changing this forces a new resource to be created.

property notBeforeDate

notBeforeDate?: pulumi.Input<string>;

Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

property version

version?: pulumi.Input<string>;

The current version of the Key Vault Key.

property x

x?: pulumi.Input<string>;

The EC X component of this Key Vault Key.

property y

y?: pulumi.Input<string>;

The EC Y component of this Key Vault Key.

interface KeyVaultArgs

interface KeyVaultArgs

The set of arguments for constructing a KeyVault resource.

property accessPolicies

accessPolicies?: pulumi.Input<pulumi.Input<KeyVaultAccessPolicy>[]>;

A list of up to 16 objects describing access policies, as described below.

property enabledForDeployment

enabledForDeployment?: pulumi.Input<boolean>;

Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.

property enabledForDiskEncryption

enabledForDiskEncryption?: pulumi.Input<boolean>;

Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.

property enabledForTemplateDeployment

enabledForTemplateDeployment?: pulumi.Input<boolean>;

Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.

property location

location?: pulumi.Input<string>;

Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

property name

name?: pulumi.Input<string>;

Specifies the name of the Key Vault. Changing this forces a new resource to be created.

property networkAcls

networkAcls?: pulumi.Input<KeyVaultNetworkAcls>;

A networkAcls block as defined below.

property purgeProtectionEnabled

purgeProtectionEnabled?: pulumi.Input<boolean>;

Is Purge Protection enabled for this Key Vault? Defaults to false.

property resourceGroupName

resourceGroupName: pulumi.Input<string>;

The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.

property skuName

skuName: pulumi.Input<string>;

The Name of the SKU used for this Key Vault. Possible values are standard and premium.

property softDeleteEnabled

softDeleteEnabled?: pulumi.Input<boolean>;

Should Soft Delete be enabled for this Key Vault? Defaults to false.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

property tenantId

tenantId: pulumi.Input<string>;

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

interface KeyVaultState

interface KeyVaultState

Input properties used for looking up and filtering KeyVault resources.

property accessPolicies

accessPolicies?: pulumi.Input<pulumi.Input<KeyVaultAccessPolicy>[]>;

A list of up to 16 objects describing access policies, as described below.

property enabledForDeployment

enabledForDeployment?: pulumi.Input<boolean>;

Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.

property enabledForDiskEncryption

enabledForDiskEncryption?: pulumi.Input<boolean>;

Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.

property enabledForTemplateDeployment

enabledForTemplateDeployment?: pulumi.Input<boolean>;

Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.

property location

location?: pulumi.Input<string>;

Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

property name

name?: pulumi.Input<string>;

Specifies the name of the Key Vault. Changing this forces a new resource to be created.

property networkAcls

networkAcls?: pulumi.Input<KeyVaultNetworkAcls>;

A networkAcls block as defined below.

property purgeProtectionEnabled

purgeProtectionEnabled?: pulumi.Input<boolean>;

Is Purge Protection enabled for this Key Vault? Defaults to false.

property resourceGroupName

resourceGroupName?: pulumi.Input<string>;

The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.

property skuName

skuName?: pulumi.Input<string>;

The Name of the SKU used for this Key Vault. Possible values are standard and premium.

property softDeleteEnabled

softDeleteEnabled?: pulumi.Input<boolean>;

Should Soft Delete be enabled for this Key Vault? Defaults to false.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

property tenantId

tenantId?: pulumi.Input<string>;

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

property vaultUri

vaultUri?: pulumi.Input<string>;

The URI of the Key Vault, used for performing operations on keys and secrets.

interface SecretArgs

interface SecretArgs

The set of arguments for constructing a Secret resource.

property contentType

contentType?: pulumi.Input<string>;

Specifies the content type for the Key Vault Secret.

property expirationDate

expirationDate?: pulumi.Input<string>;

Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

property keyVaultId

keyVaultId: pulumi.Input<string>;

The ID of the Key Vault where the Secret should be created.

property name

name?: pulumi.Input<string>;

Specifies the name of the Key Vault Secret. Changing this forces a new resource to be created.

property notBeforeDate

notBeforeDate?: pulumi.Input<string>;

Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

property value

value: pulumi.Input<string>;

Specifies the value of the Key Vault Secret.

interface SecretState

interface SecretState

Input properties used for looking up and filtering Secret resources.

property contentType

contentType?: pulumi.Input<string>;

Specifies the content type for the Key Vault Secret.

property expirationDate

expirationDate?: pulumi.Input<string>;

Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

property keyVaultId

keyVaultId?: pulumi.Input<string>;

The ID of the Key Vault where the Secret should be created.

property name

name?: pulumi.Input<string>;

Specifies the name of the Key Vault Secret. Changing this forces a new resource to be created.

property notBeforeDate

notBeforeDate?: pulumi.Input<string>;

Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

property value

value?: pulumi.Input<string>;

Specifies the value of the Key Vault Secret.

property version

version?: pulumi.Input<string>;

The current version of the Key Vault Secret.