1. Docs
  2. Reference
  3. API
  4. pulumi_azure
  5. keyvault

This page documents the language specification for the azure package. If you're looking for help working with the inputs, outputs, or functions of azure resources in a Pulumi program, please see the resource documentation for examples and API reference.

keyvault

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-azure repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-azurerm repo.

class pulumi_azure.keyvault.AccessPolicy(resource_name, opts=None, application_id=None, certificate_permissions=None, key_permissions=None, key_vault_id=None, object_id=None, secret_permissions=None, storage_permissions=None, tenant_id=None, __props__=None, __name__=None, __opts__=None)

Manages a Key Vault Access Policy.

NOTE: It’s possible to define Key Vault Access Policies both within the keyvault.KeyVault resource via the access_policy block and by using the keyvault.AccessPolicy resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.

NOTE: Azure permits a maximum of 1024 Access Policies per Key Vault - more information can be found in this document.

Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • application_id (pulumi.Input[str]) – The object ID of an Application in Azure Active Directory.

  • certificate_permissions (pulumi.Input[list]) – List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update.

  • key_permissions (pulumi.Input[list]) – List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey.

  • key_vault_id (pulumi.Input[str]) – Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

  • object_id (pulumi.Input[str]) – The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

  • secret_permissions (pulumi.Input[list]) – List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set.

  • storage_permissions (pulumi.Input[list]) – List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update.

  • tenant_id (pulumi.Input[str]) – The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

application_id: pulumi.Output[str] = None

The object ID of an Application in Azure Active Directory.

certificate_permissions: pulumi.Output[list] = None

List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update.

key_permissions: pulumi.Output[list] = None

List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey.

key_vault_id: pulumi.Output[str] = None

Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

object_id: pulumi.Output[str] = None

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

secret_permissions: pulumi.Output[list] = None

List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set.

storage_permissions: pulumi.Output[list] = None

List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update.

tenant_id: pulumi.Output[str] = None

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

static get(resource_name, id, opts=None, application_id=None, certificate_permissions=None, key_permissions=None, key_vault_id=None, object_id=None, secret_permissions=None, storage_permissions=None, tenant_id=None)

Get an existing AccessPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • application_id (pulumi.Input[str]) – The object ID of an Application in Azure Active Directory.

  • certificate_permissions (pulumi.Input[list]) – List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update.

  • key_permissions (pulumi.Input[list]) – List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey.

  • key_vault_id (pulumi.Input[str]) – Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

  • object_id (pulumi.Input[str]) – The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

  • secret_permissions (pulumi.Input[list]) – List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set.

  • storage_permissions (pulumi.Input[list]) – List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update.

  • tenant_id (pulumi.Input[str]) – The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.keyvault.AwaitableGetAccessPolicyResult(certificate_permissions=None, id=None, key_permissions=None, name=None, secret_permissions=None)
class pulumi_azure.keyvault.AwaitableGetCertificateResult(certificate_data=None, certificate_policies=None, id=None, key_vault_id=None, name=None, secret_id=None, tags=None, thumbprint=None, version=None)
class pulumi_azure.keyvault.AwaitableGetKeyResult(e=None, id=None, key_opts=None, key_size=None, key_type=None, key_vault_id=None, n=None, name=None, tags=None, version=None)
class pulumi_azure.keyvault.AwaitableGetKeyVaultResult(access_policies=None, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, id=None, location=None, name=None, network_acls=None, purge_protection_enabled=None, resource_group_name=None, sku_name=None, soft_delete_enabled=None, tags=None, tenant_id=None, vault_uri=None)
class pulumi_azure.keyvault.AwaitableGetSecretResult(content_type=None, id=None, key_vault_id=None, name=None, tags=None, value=None, version=None)
class pulumi_azure.keyvault.Certifiate(resource_name, opts=None, certificate=None, certificate_policy=None, key_vault_id=None, name=None, tags=None, __props__=None, __name__=None, __opts__=None)

Manages a Key Vault Certificate.

import pulumi
import pulumi_azure as azure

current = azure.core.get_client_config()
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    tenant_id=current.tenant_id,
    sku_name="standard",
    access_policy=[{
        "tenant_id": current.tenant_id,
        "object_id": current.object_id,
        "certificate_permissions": [
            "create",
            "delete",
            "deleteissuers",
            "get",
            "getissuers",
            "import",
            "list",
            "listissuers",
            "managecontacts",
            "manageissuers",
            "setissuers",
            "update",
        ],
        "key_permissions": [
            "backup",
            "create",
            "decrypt",
            "delete",
            "encrypt",
            "get",
            "import",
            "list",
            "purge",
            "recover",
            "restore",
            "sign",
            "unwrapKey",
            "update",
            "verify",
            "wrapKey",
        ],
        "secret_permissions": [
            "backup",
            "delete",
            "get",
            "list",
            "purge",
            "recover",
            "restore",
            "set",
        ],
    }],
    tags={
        "environment": "Production",
    })
example_certificate = azure.keyvault.Certificate("exampleCertificate",
    key_vault_id=example_key_vault.id,
    certificate_policy={
        "issuer_parameters": {
            "name": "Self",
        },
        "key_properties": {
            "exportable": True,
            "key_size": 2048,
            "key_type": "RSA",
            "reuseKey": True,
        },
        "lifetime_action": [{
            "action": {
                "actionType": "AutoRenew",
            },
            "trigger": {
                "daysBeforeExpiry": 30,
            },
        }],
        "secret_properties": {
            "content_type": "application/x-pkcs12",
        },
        "x509_certificate_properties": {
            "extendedKeyUsages": ["1.3.6.1.5.5.7.3.1"],
            "keyUsages": [
                "cRLSign",
                "dataEncipherment",
                "digitalSignature",
                "keyAgreement",
                "keyCertSign",
                "keyEncipherment",
            ],
            "subject_alternative_names": {
                "dnsNames": [
                    "internal.contoso.com",
                    "domain.hello.world",
                ],
            },
            "subject": "CN=hello-world",
            "validityInMonths": 12,
        },
    })
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • certificate (pulumi.Input[dict]) – A certificate block as defined below, used to Import an existing certificate.

  • certificate_policy (pulumi.Input[dict]) – A certificate_policy block as defined below.

  • key_vault_id (pulumi.Input[str]) – The ID of the Key Vault where the Certificate should be created.

  • name (pulumi.Input[str]) – Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

The certificate object supports the following:

  • contents (pulumi.Input[str]) - The base64-encoded certificate contents. Changing this forces a new resource to be created.

  • password (pulumi.Input[str]) - The password associated with the certificate. Changing this forces a new resource to be created.

The certificate_policy object supports the following:

  • issuerParameters (pulumi.Input[dict]) - A issuer_parameters block as defined below.

    • name (pulumi.Input[str]) - The name of the Certificate Issuer. Possible values include Self (for self-signed certificate), or Unknown (for a certificate issuing authority like Let's Encrypt and Azure direct supported ones). Changing this forces a new resource to be created.

  • key_properties (pulumi.Input[dict]) - A key_properties block as defined below.

    • exportable (pulumi.Input[bool]) - Is this Certificate Exportable? Changing this forces a new resource to be created.

    • key_size (pulumi.Input[float]) - The size of the Key used in the Certificate. Possible values include 2048 and 4096. Changing this forces a new resource to be created.

    • key_type (pulumi.Input[str]) - Specifies the Type of Key, such as RSA. Changing this forces a new resource to be created.

    • reuseKey (pulumi.Input[bool]) - Is the key reusable? Changing this forces a new resource to be created.

  • lifetimeActions (pulumi.Input[list]) - A lifetime_action block as defined below.

    • action (pulumi.Input[dict]) - A action block as defined below.

      • actionType (pulumi.Input[str]) - The Type of action to be performed when the lifetime trigger is triggerec. Possible values include AutoRenew and EmailContacts. Changing this forces a new resource to be created.

    • trigger (pulumi.Input[dict]) - A trigger block as defined below.

      • daysBeforeExpiry (pulumi.Input[float]) - The number of days before the Certificate expires that the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with lifetime_percentage.

      • lifetimePercentage (pulumi.Input[float]) - The percentage at which during the Certificates Lifetime the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with days_before_expiry.

  • secretProperties (pulumi.Input[dict]) - A secret_properties block as defined below.

    • content_type (pulumi.Input[str]) - The Content-Type of the Certificate, such as application/x-pkcs12 for a PFX or application/x-pem-file for a PEM. Changing this forces a new resource to be created.

  • x509CertificateProperties (pulumi.Input[dict]) - A x509_certificate_properties block as defined below. Required when certificate block is not specified.

    • extendedKeyUsages (pulumi.Input[list]) - A list of Extended/Enhanced Key Usages. Changing this forces a new resource to be created.

    • keyUsages (pulumi.Input[list]) - A list of uses associated with this Key. Possible values include cRLSign, dataEncipherment, decipherOnly, digitalSignature, encipherOnly, keyAgreement, keyCertSign, keyEncipherment and nonRepudiation and are case-sensitive. Changing this forces a new resource to be created.

    • subject (pulumi.Input[str]) - The Certificate’s Subject. Changing this forces a new resource to be created.

    • subjectAlternativeNames (pulumi.Input[dict]) - A subject_alternative_names block as defined below.

      • dnsNames (pulumi.Input[list]) - A list of alternative DNS names (FQDNs) identified by the Certificate. Changing this forces a new resource to be created.

      • emails (pulumi.Input[list]) - A list of email addresses identified by this Certificate. Changing this forces a new resource to be created.

      • upns (pulumi.Input[list]) - A list of User Principal Names identified by the Certificate. Changing this forces a new resource to be created.

    • validityInMonths (pulumi.Input[float]) - The Certificates Validity Period in Months. Changing this forces a new resource to be created.

certificate: pulumi.Output[dict] = None

A certificate block as defined below, used to Import an existing certificate.

  • contents (str) - The base64-encoded certificate contents. Changing this forces a new resource to be created.

  • password (str) - The password associated with the certificate. Changing this forces a new resource to be created.

certificate_data: pulumi.Output[str] = None

The raw Key Vault Certificate data represented as a hexadecimal string.

certificate_policy: pulumi.Output[dict] = None

A certificate_policy block as defined below.

  • issuerParameters (dict) - A issuer_parameters block as defined below.

    • name (str) - The name of the Certificate Issuer. Possible values include Self (for self-signed certificate), or Unknown (for a certificate issuing authority like Let's Encrypt and Azure direct supported ones). Changing this forces a new resource to be created.

  • key_properties (dict) - A key_properties block as defined below.

    • exportable (bool) - Is this Certificate Exportable? Changing this forces a new resource to be created.

    • key_size (float) - The size of the Key used in the Certificate. Possible values include 2048 and 4096. Changing this forces a new resource to be created.

    • key_type (str) - Specifies the Type of Key, such as RSA. Changing this forces a new resource to be created.

    • reuseKey (bool) - Is the key reusable? Changing this forces a new resource to be created.

  • lifetimeActions (list) - A lifetime_action block as defined below.

    • action (dict) - A action block as defined below.

      • actionType (str) - The Type of action to be performed when the lifetime trigger is triggerec. Possible values include AutoRenew and EmailContacts. Changing this forces a new resource to be created.

    • trigger (dict) - A trigger block as defined below.

      • daysBeforeExpiry (float) - The number of days before the Certificate expires that the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with lifetime_percentage.

      • lifetimePercentage (float) - The percentage at which during the Certificates Lifetime the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with days_before_expiry.

  • secretProperties (dict) - A secret_properties block as defined below.

    • content_type (str) - The Content-Type of the Certificate, such as application/x-pkcs12 for a PFX or application/x-pem-file for a PEM. Changing this forces a new resource to be created.

  • x509CertificateProperties (dict) - A x509_certificate_properties block as defined below. Required when certificate block is not specified.

    • extendedKeyUsages (list) - A list of Extended/Enhanced Key Usages. Changing this forces a new resource to be created.

    • keyUsages (list) - A list of uses associated with this Key. Possible values include cRLSign, dataEncipherment, decipherOnly, digitalSignature, encipherOnly, keyAgreement, keyCertSign, keyEncipherment and nonRepudiation and are case-sensitive. Changing this forces a new resource to be created.

    • subject (str) - The Certificate’s Subject. Changing this forces a new resource to be created.

    • subjectAlternativeNames (dict) - A subject_alternative_names block as defined below.

      • dnsNames (list) - A list of alternative DNS names (FQDNs) identified by the Certificate. Changing this forces a new resource to be created.

      • emails (list) - A list of email addresses identified by this Certificate. Changing this forces a new resource to be created.

      • upns (list) - A list of User Principal Names identified by the Certificate. Changing this forces a new resource to be created.

    • validityInMonths (float) - The Certificates Validity Period in Months. Changing this forces a new resource to be created.

key_vault_id: pulumi.Output[str] = None

The ID of the Key Vault where the Certificate should be created.

name: pulumi.Output[str] = None

Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

secret_id: pulumi.Output[str] = None

The ID of the associated Key Vault Secret.

tags: pulumi.Output[dict] = None

A mapping of tags to assign to the resource.

thumbprint: pulumi.Output[str] = None

The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string.

version: pulumi.Output[str] = None

The current version of the Key Vault Certificate.

static get(resource_name, id, opts=None, certificate=None, certificate_data=None, certificate_policy=None, key_vault_id=None, name=None, secret_id=None, tags=None, thumbprint=None, version=None)

Get an existing Certifiate resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • certificate (pulumi.Input[dict]) – A certificate block as defined below, used to Import an existing certificate.

  • certificate_data (pulumi.Input[str]) – The raw Key Vault Certificate data represented as a hexadecimal string.

  • certificate_policy (pulumi.Input[dict]) – A certificate_policy block as defined below.

  • key_vault_id (pulumi.Input[str]) – The ID of the Key Vault where the Certificate should be created.

  • name (pulumi.Input[str]) – Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

  • secret_id (pulumi.Input[str]) – The ID of the associated Key Vault Secret.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

  • thumbprint (pulumi.Input[str]) – The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string.

  • version (pulumi.Input[str]) – The current version of the Key Vault Certificate.

The certificate object supports the following:

  • contents (pulumi.Input[str]) - The base64-encoded certificate contents. Changing this forces a new resource to be created.

  • password (pulumi.Input[str]) - The password associated with the certificate. Changing this forces a new resource to be created.

The certificate_policy object supports the following:

  • issuerParameters (pulumi.Input[dict]) - A issuer_parameters block as defined below.

    • name (pulumi.Input[str]) - The name of the Certificate Issuer. Possible values include Self (for self-signed certificate), or Unknown (for a certificate issuing authority like Let's Encrypt and Azure direct supported ones). Changing this forces a new resource to be created.

  • key_properties (pulumi.Input[dict]) - A key_properties block as defined below.

    • exportable (pulumi.Input[bool]) - Is this Certificate Exportable? Changing this forces a new resource to be created.

    • key_size (pulumi.Input[float]) - The size of the Key used in the Certificate. Possible values include 2048 and 4096. Changing this forces a new resource to be created.

    • key_type (pulumi.Input[str]) - Specifies the Type of Key, such as RSA. Changing this forces a new resource to be created.

    • reuseKey (pulumi.Input[bool]) - Is the key reusable? Changing this forces a new resource to be created.

  • lifetimeActions (pulumi.Input[list]) - A lifetime_action block as defined below.

    • action (pulumi.Input[dict]) - A action block as defined below.

      • actionType (pulumi.Input[str]) - The Type of action to be performed when the lifetime trigger is triggerec. Possible values include AutoRenew and EmailContacts. Changing this forces a new resource to be created.

    • trigger (pulumi.Input[dict]) - A trigger block as defined below.

      • daysBeforeExpiry (pulumi.Input[float]) - The number of days before the Certificate expires that the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with lifetime_percentage.

      • lifetimePercentage (pulumi.Input[float]) - The percentage at which during the Certificates Lifetime the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with days_before_expiry.

  • secretProperties (pulumi.Input[dict]) - A secret_properties block as defined below.

    • content_type (pulumi.Input[str]) - The Content-Type of the Certificate, such as application/x-pkcs12 for a PFX or application/x-pem-file for a PEM. Changing this forces a new resource to be created.

  • x509CertificateProperties (pulumi.Input[dict]) - A x509_certificate_properties block as defined below. Required when certificate block is not specified.

    • extendedKeyUsages (pulumi.Input[list]) - A list of Extended/Enhanced Key Usages. Changing this forces a new resource to be created.

    • keyUsages (pulumi.Input[list]) - A list of uses associated with this Key. Possible values include cRLSign, dataEncipherment, decipherOnly, digitalSignature, encipherOnly, keyAgreement, keyCertSign, keyEncipherment and nonRepudiation and are case-sensitive. Changing this forces a new resource to be created.

    • subject (pulumi.Input[str]) - The Certificate’s Subject. Changing this forces a new resource to be created.

    • subjectAlternativeNames (pulumi.Input[dict]) - A subject_alternative_names block as defined below.

      • dnsNames (pulumi.Input[list]) - A list of alternative DNS names (FQDNs) identified by the Certificate. Changing this forces a new resource to be created.

      • emails (pulumi.Input[list]) - A list of email addresses identified by this Certificate. Changing this forces a new resource to be created.

      • upns (pulumi.Input[list]) - A list of User Principal Names identified by the Certificate. Changing this forces a new resource to be created.

    • validityInMonths (pulumi.Input[float]) - The Certificates Validity Period in Months. Changing this forces a new resource to be created.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.keyvault.Certificate(resource_name, opts=None, certificate=None, certificate_policy=None, key_vault_id=None, name=None, tags=None, __props__=None, __name__=None, __opts__=None)

Manages a Key Vault Certificate.

import pulumi
import pulumi_azure as azure

current = azure.core.get_client_config()
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    tenant_id=current.tenant_id,
    sku_name="standard",
    access_policy=[{
        "tenant_id": current.tenant_id,
        "object_id": current.object_id,
        "certificate_permissions": [
            "create",
            "delete",
            "deleteissuers",
            "get",
            "getissuers",
            "import",
            "list",
            "listissuers",
            "managecontacts",
            "manageissuers",
            "setissuers",
            "update",
        ],
        "key_permissions": [
            "backup",
            "create",
            "decrypt",
            "delete",
            "encrypt",
            "get",
            "import",
            "list",
            "purge",
            "recover",
            "restore",
            "sign",
            "unwrapKey",
            "update",
            "verify",
            "wrapKey",
        ],
        "secret_permissions": [
            "backup",
            "delete",
            "get",
            "list",
            "purge",
            "recover",
            "restore",
            "set",
        ],
    }],
    tags={
        "environment": "Production",
    })
example_certificate = azure.keyvault.Certificate("exampleCertificate",
    key_vault_id=example_key_vault.id,
    certificate_policy={
        "issuer_parameters": {
            "name": "Self",
        },
        "key_properties": {
            "exportable": True,
            "key_size": 2048,
            "key_type": "RSA",
            "reuseKey": True,
        },
        "lifetime_action": [{
            "action": {
                "actionType": "AutoRenew",
            },
            "trigger": {
                "daysBeforeExpiry": 30,
            },
        }],
        "secret_properties": {
            "content_type": "application/x-pkcs12",
        },
        "x509_certificate_properties": {
            "extendedKeyUsages": ["1.3.6.1.5.5.7.3.1"],
            "keyUsages": [
                "cRLSign",
                "dataEncipherment",
                "digitalSignature",
                "keyAgreement",
                "keyCertSign",
                "keyEncipherment",
            ],
            "subject_alternative_names": {
                "dnsNames": [
                    "internal.contoso.com",
                    "domain.hello.world",
                ],
            },
            "subject": "CN=hello-world",
            "validityInMonths": 12,
        },
    })
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • certificate (pulumi.Input[dict]) – A certificate block as defined below, used to Import an existing certificate.

  • certificate_policy (pulumi.Input[dict]) – A certificate_policy block as defined below.

  • key_vault_id (pulumi.Input[str]) – The ID of the Key Vault where the Certificate should be created.

  • name (pulumi.Input[str]) – Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

The certificate object supports the following:

  • contents (pulumi.Input[str]) - The base64-encoded certificate contents. Changing this forces a new resource to be created.

  • password (pulumi.Input[str]) - The password associated with the certificate. Changing this forces a new resource to be created.

The certificate_policy object supports the following:

  • issuerParameters (pulumi.Input[dict]) - A issuer_parameters block as defined below.

    • name (pulumi.Input[str]) - The name of the Certificate Issuer. Possible values include Self (for self-signed certificate), or Unknown (for a certificate issuing authority like Let's Encrypt and Azure direct supported ones). Changing this forces a new resource to be created.

  • key_properties (pulumi.Input[dict]) - A key_properties block as defined below.

    • exportable (pulumi.Input[bool]) - Is this Certificate Exportable? Changing this forces a new resource to be created.

    • key_size (pulumi.Input[float]) - The size of the Key used in the Certificate. Possible values include 2048 and 4096. Changing this forces a new resource to be created.

    • key_type (pulumi.Input[str]) - Specifies the Type of Key, such as RSA. Changing this forces a new resource to be created.

    • reuseKey (pulumi.Input[bool]) - Is the key reusable? Changing this forces a new resource to be created.

  • lifetimeActions (pulumi.Input[list]) - A lifetime_action block as defined below.

    • action (pulumi.Input[dict]) - A action block as defined below.

      • actionType (pulumi.Input[str]) - The Type of action to be performed when the lifetime trigger is triggerec. Possible values include AutoRenew and EmailContacts. Changing this forces a new resource to be created.

    • trigger (pulumi.Input[dict]) - A trigger block as defined below.

      • daysBeforeExpiry (pulumi.Input[float]) - The number of days before the Certificate expires that the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with lifetime_percentage.

      • lifetimePercentage (pulumi.Input[float]) - The percentage at which during the Certificates Lifetime the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with days_before_expiry.

  • secretProperties (pulumi.Input[dict]) - A secret_properties block as defined below.

    • content_type (pulumi.Input[str]) - The Content-Type of the Certificate, such as application/x-pkcs12 for a PFX or application/x-pem-file for a PEM. Changing this forces a new resource to be created.

  • x509CertificateProperties (pulumi.Input[dict]) - A x509_certificate_properties block as defined below. Required when certificate block is not specified.

    • extendedKeyUsages (pulumi.Input[list]) - A list of Extended/Enhanced Key Usages. Changing this forces a new resource to be created.

    • keyUsages (pulumi.Input[list]) - A list of uses associated with this Key. Possible values include cRLSign, dataEncipherment, decipherOnly, digitalSignature, encipherOnly, keyAgreement, keyCertSign, keyEncipherment and nonRepudiation and are case-sensitive. Changing this forces a new resource to be created.

    • subject (pulumi.Input[str]) - The Certificate’s Subject. Changing this forces a new resource to be created.

    • subjectAlternativeNames (pulumi.Input[dict]) - A subject_alternative_names block as defined below.

      • dnsNames (pulumi.Input[list]) - A list of alternative DNS names (FQDNs) identified by the Certificate. Changing this forces a new resource to be created.

      • emails (pulumi.Input[list]) - A list of email addresses identified by this Certificate. Changing this forces a new resource to be created.

      • upns (pulumi.Input[list]) - A list of User Principal Names identified by the Certificate. Changing this forces a new resource to be created.

    • validityInMonths (pulumi.Input[float]) - The Certificates Validity Period in Months. Changing this forces a new resource to be created.

certificate: pulumi.Output[dict] = None

A certificate block as defined below, used to Import an existing certificate.

  • contents (str) - The base64-encoded certificate contents. Changing this forces a new resource to be created.

  • password (str) - The password associated with the certificate. Changing this forces a new resource to be created.

certificate_data: pulumi.Output[str] = None

The raw Key Vault Certificate data represented as a hexadecimal string.

certificate_policy: pulumi.Output[dict] = None

A certificate_policy block as defined below.

  • issuerParameters (dict) - A issuer_parameters block as defined below.

    • name (str) - The name of the Certificate Issuer. Possible values include Self (for self-signed certificate), or Unknown (for a certificate issuing authority like Let's Encrypt and Azure direct supported ones). Changing this forces a new resource to be created.

  • key_properties (dict) - A key_properties block as defined below.

    • exportable (bool) - Is this Certificate Exportable? Changing this forces a new resource to be created.

    • key_size (float) - The size of the Key used in the Certificate. Possible values include 2048 and 4096. Changing this forces a new resource to be created.

    • key_type (str) - Specifies the Type of Key, such as RSA. Changing this forces a new resource to be created.

    • reuseKey (bool) - Is the key reusable? Changing this forces a new resource to be created.

  • lifetimeActions (list) - A lifetime_action block as defined below.

    • action (dict) - A action block as defined below.

      • actionType (str) - The Type of action to be performed when the lifetime trigger is triggerec. Possible values include AutoRenew and EmailContacts. Changing this forces a new resource to be created.

    • trigger (dict) - A trigger block as defined below.

      • daysBeforeExpiry (float) - The number of days before the Certificate expires that the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with lifetime_percentage.

      • lifetimePercentage (float) - The percentage at which during the Certificates Lifetime the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with days_before_expiry.

  • secretProperties (dict) - A secret_properties block as defined below.

    • content_type (str) - The Content-Type of the Certificate, such as application/x-pkcs12 for a PFX or application/x-pem-file for a PEM. Changing this forces a new resource to be created.

  • x509CertificateProperties (dict) - A x509_certificate_properties block as defined below. Required when certificate block is not specified.

    • extendedKeyUsages (list) - A list of Extended/Enhanced Key Usages. Changing this forces a new resource to be created.

    • keyUsages (list) - A list of uses associated with this Key. Possible values include cRLSign, dataEncipherment, decipherOnly, digitalSignature, encipherOnly, keyAgreement, keyCertSign, keyEncipherment and nonRepudiation and are case-sensitive. Changing this forces a new resource to be created.

    • subject (str) - The Certificate’s Subject. Changing this forces a new resource to be created.

    • subjectAlternativeNames (dict) - A subject_alternative_names block as defined below.

      • dnsNames (list) - A list of alternative DNS names (FQDNs) identified by the Certificate. Changing this forces a new resource to be created.

      • emails (list) - A list of email addresses identified by this Certificate. Changing this forces a new resource to be created.

      • upns (list) - A list of User Principal Names identified by the Certificate. Changing this forces a new resource to be created.

    • validityInMonths (float) - The Certificates Validity Period in Months. Changing this forces a new resource to be created.

key_vault_id: pulumi.Output[str] = None

The ID of the Key Vault where the Certificate should be created.

name: pulumi.Output[str] = None

Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

secret_id: pulumi.Output[str] = None

The ID of the associated Key Vault Secret.

tags: pulumi.Output[dict] = None

A mapping of tags to assign to the resource.

thumbprint: pulumi.Output[str] = None

The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string.

version: pulumi.Output[str] = None

The current version of the Key Vault Certificate.

static get(resource_name, id, opts=None, certificate=None, certificate_data=None, certificate_policy=None, key_vault_id=None, name=None, secret_id=None, tags=None, thumbprint=None, version=None)

Get an existing Certificate resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • certificate (pulumi.Input[dict]) – A certificate block as defined below, used to Import an existing certificate.

  • certificate_data (pulumi.Input[str]) – The raw Key Vault Certificate data represented as a hexadecimal string.

  • certificate_policy (pulumi.Input[dict]) – A certificate_policy block as defined below.

  • key_vault_id (pulumi.Input[str]) – The ID of the Key Vault where the Certificate should be created.

  • name (pulumi.Input[str]) – Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.

  • secret_id (pulumi.Input[str]) – The ID of the associated Key Vault Secret.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

  • thumbprint (pulumi.Input[str]) – The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string.

  • version (pulumi.Input[str]) – The current version of the Key Vault Certificate.

The certificate object supports the following:

  • contents (pulumi.Input[str]) - The base64-encoded certificate contents. Changing this forces a new resource to be created.

  • password (pulumi.Input[str]) - The password associated with the certificate. Changing this forces a new resource to be created.

The certificate_policy object supports the following:

  • issuerParameters (pulumi.Input[dict]) - A issuer_parameters block as defined below.

    • name (pulumi.Input[str]) - The name of the Certificate Issuer. Possible values include Self (for self-signed certificate), or Unknown (for a certificate issuing authority like Let's Encrypt and Azure direct supported ones). Changing this forces a new resource to be created.

  • key_properties (pulumi.Input[dict]) - A key_properties block as defined below.

    • exportable (pulumi.Input[bool]) - Is this Certificate Exportable? Changing this forces a new resource to be created.

    • key_size (pulumi.Input[float]) - The size of the Key used in the Certificate. Possible values include 2048 and 4096. Changing this forces a new resource to be created.

    • key_type (pulumi.Input[str]) - Specifies the Type of Key, such as RSA. Changing this forces a new resource to be created.

    • reuseKey (pulumi.Input[bool]) - Is the key reusable? Changing this forces a new resource to be created.

  • lifetimeActions (pulumi.Input[list]) - A lifetime_action block as defined below.

    • action (pulumi.Input[dict]) - A action block as defined below.

      • actionType (pulumi.Input[str]) - The Type of action to be performed when the lifetime trigger is triggerec. Possible values include AutoRenew and EmailContacts. Changing this forces a new resource to be created.

    • trigger (pulumi.Input[dict]) - A trigger block as defined below.

      • daysBeforeExpiry (pulumi.Input[float]) - The number of days before the Certificate expires that the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with lifetime_percentage.

      • lifetimePercentage (pulumi.Input[float]) - The percentage at which during the Certificates Lifetime the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with days_before_expiry.

  • secretProperties (pulumi.Input[dict]) - A secret_properties block as defined below.

    • content_type (pulumi.Input[str]) - The Content-Type of the Certificate, such as application/x-pkcs12 for a PFX or application/x-pem-file for a PEM. Changing this forces a new resource to be created.

  • x509CertificateProperties (pulumi.Input[dict]) - A x509_certificate_properties block as defined below. Required when certificate block is not specified.

    • extendedKeyUsages (pulumi.Input[list]) - A list of Extended/Enhanced Key Usages. Changing this forces a new resource to be created.

    • keyUsages (pulumi.Input[list]) - A list of uses associated with this Key. Possible values include cRLSign, dataEncipherment, decipherOnly, digitalSignature, encipherOnly, keyAgreement, keyCertSign, keyEncipherment and nonRepudiation and are case-sensitive. Changing this forces a new resource to be created.

    • subject (pulumi.Input[str]) - The Certificate’s Subject. Changing this forces a new resource to be created.

    • subjectAlternativeNames (pulumi.Input[dict]) - A subject_alternative_names block as defined below.

      • dnsNames (pulumi.Input[list]) - A list of alternative DNS names (FQDNs) identified by the Certificate. Changing this forces a new resource to be created.

      • emails (pulumi.Input[list]) - A list of email addresses identified by this Certificate. Changing this forces a new resource to be created.

      • upns (pulumi.Input[list]) - A list of User Principal Names identified by the Certificate. Changing this forces a new resource to be created.

    • validityInMonths (pulumi.Input[float]) - The Certificates Validity Period in Months. Changing this forces a new resource to be created.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.keyvault.GetAccessPolicyResult(certificate_permissions=None, id=None, key_permissions=None, name=None, secret_permissions=None)

A collection of values returned by getAccessPolicy.

certificate_permissions = None

the certificate permissions for the access policy

id = None

The provider-assigned unique ID for this managed resource.

key_permissions = None

the key permissions for the access policy

secret_permissions = None

the secret permissions for the access policy

class pulumi_azure.keyvault.GetCertificateResult(certificate_data=None, certificate_policies=None, id=None, key_vault_id=None, name=None, secret_id=None, tags=None, thumbprint=None, version=None)

A collection of values returned by getCertificate.

certificate_policies = None

A certificate_policy block as defined below.

id = None

The provider-assigned unique ID for this managed resource.

name = None

The name of the Certificate Issuer.

tags = None

A mapping of tags to assign to the resource.

class pulumi_azure.keyvault.GetKeyResult(e=None, id=None, key_opts=None, key_size=None, key_type=None, key_vault_id=None, n=None, name=None, tags=None, version=None)

A collection of values returned by getKey.

e = None

The RSA public exponent of this Key Vault Key.

id = None

The provider-assigned unique ID for this managed resource.

key_opts = None

A list of JSON web key operations assigned to this Key Vault Key

key_size = None

Specifies the Size of this Key Vault Key.

key_type = None

Specifies the Key Type of this Key Vault Key

n = None

The RSA modulus of this Key Vault Key.

tags = None

A mapping of tags assigned to this Key Vault Key.

version = None

The current version of the Key Vault Key.

class pulumi_azure.keyvault.GetKeyVaultResult(access_policies=None, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, id=None, location=None, name=None, network_acls=None, purge_protection_enabled=None, resource_group_name=None, sku_name=None, soft_delete_enabled=None, tags=None, tenant_id=None, vault_uri=None)

A collection of values returned by getKeyVault.

access_policies = None

One or more access_policy blocks as defined below.

enabled_for_deployment = None

Can Azure Virtual Machines retrieve certificates stored as secrets from the Key Vault?

enabled_for_disk_encryption = None

Can Azure Disk Encryption retrieve secrets from the Key Vault?

enabled_for_template_deployment = None

Can Azure Resource Manager retrieve secrets from the Key Vault?

id = None

The provider-assigned unique ID for this managed resource.

location = None

The Azure Region in which the Key Vault exists.

purge_protection_enabled = None

Is purge protection enabled on this Key Vault?

sku_name = None

The Name of the SKU used for this Key Vault.

soft_delete_enabled = None

Is soft delete enabled on this Key Vault?

tags = None

A mapping of tags assigned to the Key Vault.

tenant_id = None

The Azure Active Directory Tenant ID used to authenticate requests for this Key Vault.

vault_uri = None

The URI of the vault for performing operations on keys and secrets.

class pulumi_azure.keyvault.GetSecretResult(content_type=None, id=None, key_vault_id=None, name=None, tags=None, value=None, version=None)

A collection of values returned by getSecret.

content_type = None

The content type for the Key Vault Secret.

id = None

The provider-assigned unique ID for this managed resource.

tags = None

Any tags assigned to this resource.

value = None

The value of the Key Vault Secret.

version = None

The current version of the Key Vault Secret.

class pulumi_azure.keyvault.Key(resource_name, opts=None, curve=None, expiration_date=None, key_opts=None, key_size=None, key_type=None, key_vault_id=None, name=None, not_before_date=None, tags=None, __props__=None, __name__=None, __opts__=None)

Manages a Key Vault Key.

import pulumi
import pulumi_azure as azure
import pulumi_random as random

current = azure.core.get_client_config()
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West US")
server = random.RandomId("server",
    keepers={
        "ami_id": 1,
    },
    byte_length=8)
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    tenant_id=current.tenant_id,
    sku_name="premium",
    access_policy=[{
        "tenant_id": current.tenant_id,
        "object_id": current.object_id,
        "key_permissions": [
            "create",
            "get",
        ],
        "secret_permissions": ["set"],
    }],
    tags={
        "environment": "Production",
    })
generated = azure.keyvault.Key("generated",
    key_vault_id=example_key_vault.id,
    key_type="RSA",
    key_size=2048,
    key_opts=[
        "decrypt",
        "encrypt",
        "sign",
        "unwrapKey",
        "verify",
        "wrapKey",
    ])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • curve (pulumi.Input[str]) – Specifies the curve to use when creating an EC key. Possible values are P-256, P-384, P-521, and SECP256K1. This field will be required in a future release if key_type is EC or EC-HSM. The API will default to P-256 if nothing is specified. Changing this forces a new resource to be created.

  • expiration_date (pulumi.Input[str]) – Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

  • key_opts (pulumi.Input[list]) – A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case sensitive.

  • key_size (pulumi.Input[float]) – Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA or RSA-HSM. Changing this forces a new resource to be created.

  • key_type (pulumi.Input[str]) – Specifies the Key Type to use for this Key Vault Key. Possible values are EC (Elliptic Curve), EC-HSM, Oct (Octet), RSA and RSA-HSM. Changing this forces a new resource to be created.

  • key_vault_id (pulumi.Input[str]) – The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created.

  • name (pulumi.Input[str]) – Specifies the name of the Key Vault Key. Changing this forces a new resource to be created.

  • not_before_date (pulumi.Input[str]) – Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

curve: pulumi.Output[str] = None

Specifies the curve to use when creating an EC key. Possible values are P-256, P-384, P-521, and SECP256K1. This field will be required in a future release if key_type is EC or EC-HSM. The API will default to P-256 if nothing is specified. Changing this forces a new resource to be created.

e: pulumi.Output[str] = None

The RSA public exponent of this Key Vault Key.

expiration_date: pulumi.Output[str] = None

Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

key_opts: pulumi.Output[list] = None

A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case sensitive.

key_size: pulumi.Output[float] = None

Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA or RSA-HSM. Changing this forces a new resource to be created.

key_type: pulumi.Output[str] = None

Specifies the Key Type to use for this Key Vault Key. Possible values are EC (Elliptic Curve), EC-HSM, Oct (Octet), RSA and RSA-HSM. Changing this forces a new resource to be created.

key_vault_id: pulumi.Output[str] = None

The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created.

n: pulumi.Output[str] = None

The RSA modulus of this Key Vault Key.

name: pulumi.Output[str] = None

Specifies the name of the Key Vault Key. Changing this forces a new resource to be created.

not_before_date: pulumi.Output[str] = None

Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

tags: pulumi.Output[dict] = None

A mapping of tags to assign to the resource.

version: pulumi.Output[str] = None

The current version of the Key Vault Key.

x: pulumi.Output[str] = None

The EC X component of this Key Vault Key.

y: pulumi.Output[str] = None

The EC Y component of this Key Vault Key.

static get(resource_name, id, opts=None, curve=None, e=None, expiration_date=None, key_opts=None, key_size=None, key_type=None, key_vault_id=None, n=None, name=None, not_before_date=None, tags=None, version=None, x=None, y=None)

Get an existing Key resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • curve (pulumi.Input[str]) – Specifies the curve to use when creating an EC key. Possible values are P-256, P-384, P-521, and SECP256K1. This field will be required in a future release if key_type is EC or EC-HSM. The API will default to P-256 if nothing is specified. Changing this forces a new resource to be created.

  • e (pulumi.Input[str]) – The RSA public exponent of this Key Vault Key.

  • expiration_date (pulumi.Input[str]) – Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

  • key_opts (pulumi.Input[list]) – A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case sensitive.

  • key_size (pulumi.Input[float]) – Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA or RSA-HSM. Changing this forces a new resource to be created.

  • key_type (pulumi.Input[str]) – Specifies the Key Type to use for this Key Vault Key. Possible values are EC (Elliptic Curve), EC-HSM, Oct (Octet), RSA and RSA-HSM. Changing this forces a new resource to be created.

  • key_vault_id (pulumi.Input[str]) – The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created.

  • n (pulumi.Input[str]) – The RSA modulus of this Key Vault Key.

  • name (pulumi.Input[str]) – Specifies the name of the Key Vault Key. Changing this forces a new resource to be created.

  • not_before_date (pulumi.Input[str]) – Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

  • version (pulumi.Input[str]) – The current version of the Key Vault Key.

  • x (pulumi.Input[str]) – The EC X component of this Key Vault Key.

  • y (pulumi.Input[str]) – The EC Y component of this Key Vault Key.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.keyvault.KeyVault(resource_name, opts=None, access_policies=None, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, location=None, name=None, network_acls=None, purge_protection_enabled=None, resource_group_name=None, sku_name=None, soft_delete_enabled=None, tags=None, tenant_id=None, __props__=None, __name__=None, __opts__=None)

Manages a Key Vault.

Note: It’s possible to define Key Vault Access Policies both within the keyvault.KeyVault resource via the access_policy block and by using the keyvault.AccessPolicy resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.

Note: This provi will automatically recover a soft-deleted Key Vault during Creation if one is found - you can opt out of this using the features configuration within the Provider configuration block.

import pulumi
import pulumi_azure as azure

current = azure.core.get_client_config()
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West US")
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    enabled_for_disk_encryption=True,
    tenant_id=current.tenant_id,
    soft_delete_enabled=True,
    purge_protection_enabled=False,
    sku_name="standard",
    access_policy=[{
        "tenant_id": current.tenant_id,
        "object_id": current.object_id,
        "key_permissions": ["get"],
        "secret_permissions": ["get"],
        "storage_permissions": ["get"],
    }],
    network_acls={
        "default_action": "Deny",
        "bypass": "AzureServices",
    },
    tags={
        "environment": "Testing",
    })
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • access_policies (pulumi.Input[list]) – A list of up to 16 objects describing access policies, as described below.

  • enabled_for_deployment (pulumi.Input[bool]) – Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.

  • enabled_for_disk_encryption (pulumi.Input[bool]) – Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.

  • enabled_for_template_deployment (pulumi.Input[bool]) – Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.

  • location (pulumi.Input[str]) – Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

  • name (pulumi.Input[str]) – Specifies the name of the Key Vault. Changing this forces a new resource to be created.

  • network_acls (pulumi.Input[dict]) – A network_acls block as defined below.

  • purge_protection_enabled (pulumi.Input[bool]) – Is Purge Protection enabled for this Key Vault? Defaults to false.

  • resource_group_name (pulumi.Input[str]) – The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.

  • sku_name (pulumi.Input[str]) – The Name of the SKU used for this Key Vault. Possible values are standard and premium.

  • soft_delete_enabled (pulumi.Input[bool]) – Should Soft Delete be enabled for this Key Vault? Defaults to false.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

  • tenant_id (pulumi.Input[str]) – The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

The access_policies object supports the following:

  • application_id (pulumi.Input[str]) - The object ID of an Application in Azure Active Directory.

  • certificate_permissions (pulumi.Input[list]) - List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update.

  • key_permissions (pulumi.Input[list]) - List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey.

  • object_id (pulumi.Input[str]) - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.

  • secret_permissions (pulumi.Input[list]) - List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set.

  • storage_permissions (pulumi.Input[list]) - List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update.

  • tenant_id (pulumi.Input[str]) - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.

The network_acls object supports the following:

  • bypass (pulumi.Input[str]) - Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.

  • default_action (pulumi.Input[str]) - The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.

  • ip_rules (pulumi.Input[list]) - One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.

  • virtual_network_subnet_ids (pulumi.Input[list]) - One or more Subnet ID’s which should be able to access this Key Vault.

access_policies: pulumi.Output[list] = None

A list of up to 16 objects describing access policies, as described below.

  • application_id (str) - The object ID of an Application in Azure Active Directory.

  • certificate_permissions (list) - List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update.

  • key_permissions (list) - List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey.

  • object_id (str) - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.

  • secret_permissions (list) - List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set.

  • storage_permissions (list) - List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update.

  • tenant_id (str) - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.

enabled_for_deployment: pulumi.Output[bool] = None

Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.

enabled_for_disk_encryption: pulumi.Output[bool] = None

Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.

enabled_for_template_deployment: pulumi.Output[bool] = None

Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.

location: pulumi.Output[str] = None

Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

name: pulumi.Output[str] = None

Specifies the name of the Key Vault. Changing this forces a new resource to be created.

network_acls: pulumi.Output[dict] = None

A network_acls block as defined below.

  • bypass (str) - Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.

  • default_action (str) - The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.

  • ip_rules (list) - One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.

  • virtual_network_subnet_ids (list) - One or more Subnet ID’s which should be able to access this Key Vault.

purge_protection_enabled: pulumi.Output[bool] = None

Is Purge Protection enabled for this Key Vault? Defaults to false.

resource_group_name: pulumi.Output[str] = None

The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.

sku_name: pulumi.Output[str] = None

The Name of the SKU used for this Key Vault. Possible values are standard and premium.

soft_delete_enabled: pulumi.Output[bool] = None

Should Soft Delete be enabled for this Key Vault? Defaults to false.

tags: pulumi.Output[dict] = None

A mapping of tags to assign to the resource.

tenant_id: pulumi.Output[str] = None

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

vault_uri: pulumi.Output[str] = None

The URI of the Key Vault, used for performing operations on keys and secrets.

static get(resource_name, id, opts=None, access_policies=None, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, location=None, name=None, network_acls=None, purge_protection_enabled=None, resource_group_name=None, sku_name=None, soft_delete_enabled=None, tags=None, tenant_id=None, vault_uri=None)

Get an existing KeyVault resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • access_policies (pulumi.Input[list]) – A list of up to 16 objects describing access policies, as described below.

  • enabled_for_deployment (pulumi.Input[bool]) – Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false.

  • enabled_for_disk_encryption (pulumi.Input[bool]) – Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false.

  • enabled_for_template_deployment (pulumi.Input[bool]) – Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false.

  • location (pulumi.Input[str]) – Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

  • name (pulumi.Input[str]) – Specifies the name of the Key Vault. Changing this forces a new resource to be created.

  • network_acls (pulumi.Input[dict]) – A network_acls block as defined below.

  • purge_protection_enabled (pulumi.Input[bool]) – Is Purge Protection enabled for this Key Vault? Defaults to false.

  • resource_group_name (pulumi.Input[str]) – The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.

  • sku_name (pulumi.Input[str]) – The Name of the SKU used for this Key Vault. Possible values are standard and premium.

  • soft_delete_enabled (pulumi.Input[bool]) – Should Soft Delete be enabled for this Key Vault? Defaults to false.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

  • tenant_id (pulumi.Input[str]) – The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

  • vault_uri (pulumi.Input[str]) – The URI of the Key Vault, used for performing operations on keys and secrets.

The access_policies object supports the following:

  • application_id (pulumi.Input[str]) - The object ID of an Application in Azure Active Directory.

  • certificate_permissions (pulumi.Input[list]) - List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update.

  • key_permissions (pulumi.Input[list]) - List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey.

  • object_id (pulumi.Input[str]) - The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.

  • secret_permissions (pulumi.Input[list]) - List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set.

  • storage_permissions (pulumi.Input[list]) - List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update.

  • tenant_id (pulumi.Input[str]) - The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id used above.

The network_acls object supports the following:

  • bypass (pulumi.Input[str]) - Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.

  • default_action (pulumi.Input[str]) - The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.

  • ip_rules (pulumi.Input[list]) - One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.

  • virtual_network_subnet_ids (pulumi.Input[list]) - One or more Subnet ID’s which should be able to access this Key Vault.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.keyvault.Secret(resource_name, opts=None, content_type=None, expiration_date=None, key_vault_id=None, name=None, not_before_date=None, tags=None, value=None, __props__=None, __name__=None, __opts__=None)

Manages a Key Vault Secret.

Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • content_type (pulumi.Input[str]) – Specifies the content type for the Key Vault Secret.

  • expiration_date (pulumi.Input[str]) – Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

  • key_vault_id (pulumi.Input[str]) – The ID of the Key Vault where the Secret should be created.

  • name (pulumi.Input[str]) – Specifies the name of the Key Vault Secret. Changing this forces a new resource to be created.

  • not_before_date (pulumi.Input[str]) – Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

  • value (pulumi.Input[str]) – Specifies the value of the Key Vault Secret.

content_type: pulumi.Output[str] = None

Specifies the content type for the Key Vault Secret.

expiration_date: pulumi.Output[str] = None

Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

key_vault_id: pulumi.Output[str] = None

The ID of the Key Vault where the Secret should be created.

name: pulumi.Output[str] = None

Specifies the name of the Key Vault Secret. Changing this forces a new resource to be created.

not_before_date: pulumi.Output[str] = None

Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

tags: pulumi.Output[dict] = None

A mapping of tags to assign to the resource.

value: pulumi.Output[str] = None

Specifies the value of the Key Vault Secret.

version: pulumi.Output[str] = None

The current version of the Key Vault Secret.

static get(resource_name, id, opts=None, content_type=None, expiration_date=None, key_vault_id=None, name=None, not_before_date=None, tags=None, value=None, version=None)

Get an existing Secret resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • content_type (pulumi.Input[str]) – Specifies the content type for the Key Vault Secret.

  • expiration_date (pulumi.Input[str]) – Expiration UTC datetime (Y-m-d’T’H:M:S’Z’).

  • key_vault_id (pulumi.Input[str]) – The ID of the Key Vault where the Secret should be created.

  • name (pulumi.Input[str]) – Specifies the name of the Key Vault Secret. Changing this forces a new resource to be created.

  • not_before_date (pulumi.Input[str]) – Key not usable before the provided UTC datetime (Y-m-d’T’H:M:S’Z’).

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

  • value (pulumi.Input[str]) – Specifies the value of the Key Vault Secret.

  • version (pulumi.Input[str]) – The current version of the Key Vault Secret.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_azure.keyvault.get_access_policy(name=None, opts=None)

Use this data source to access information about the permissions from the Management Key Vault Templates.

import pulumi
import pulumi_azure as azure

contributor = azure.keyvault.get_access_policy(name="Key Management")
pulumi.export("accessPolicyKeyPermissions", contributor.key_permissions)
Parameters

name (str) – Specifies the name of the Management Template. Possible values are: Key Management, Secret Management, Certificate Management, Key & Secret Management, Key & Certificate Management, Secret & Certificate Management, Key, Secret, & Certificate Management

pulumi_azure.keyvault.get_certificate(key_vault_id=None, name=None, version=None, opts=None)

Use this data source to access information about an existing Key Vault Certificate.

Note: All arguments including the secret value will be stored in the raw state as plain-text. Read more about sensitive data in state.

import pulumi
import pulumi_azure as azure

example_key_vault = azure.keyvault.get_key_vault(name="examplekv",
    resource_group_name="some-resource-group")
example_certificate = azure.keyvault.get_certificate(name="secret-sauce",
    key_vault_id=example_key_vault.id)
pulumi.export("certificateThumbprint", example_certificate.thumbprint)
Parameters

  • key_vault_id (str) – Specifies the ID of the Key Vault instance where the Secret resides, available on the keyvault.KeyVault Data Source / Resource.

  • name (str) – Specifies the name of the Key Vault Secret.

  • version (str) – Specifies the version of the certificate to look up. (Defaults to latest)

pulumi_azure.keyvault.get_key(key_vault_id=None, name=None, opts=None)

Use this data source to access information about an existing Key Vault Key.

import pulumi
import pulumi_azure as azure

example = azure.keyvault.get_key(name="secret-sauce",
    key_vault_id=data["azurerm_key_vault"]["existing"]["id"])
pulumi.export("keyType", example.key_type)
Parameters

  • key_vault_id (str) – Specifies the ID of the Key Vault instance where the Secret resides, available on the keyvault.KeyVault Data Source / Resource.

  • name (str) – Specifies the name of the Key Vault Key.

pulumi_azure.keyvault.get_key_vault(name=None, resource_group_name=None, opts=None)

Use this data source to access information about an existing Key Vault.

import pulumi
import pulumi_azure as azure

example = azure.keyvault.get_key_vault(name="mykeyvault",
    resource_group_name="some-resource-group")
pulumi.export("vaultUri", example.vault_uri)
Parameters

  • name (str) – Specifies the name of the Key Vault.

  • resource_group_name (str) – The name of the Resource Group in which the Key Vault exists.

pulumi_azure.keyvault.get_secret(key_vault_id=None, name=None, opts=None)

Use this data source to access information about an existing Key Vault Secret.

import pulumi
import pulumi_azure as azure

example = azure.keyvault.get_secret(name="secret-sauce",
    key_vault_id=data["azurerm_key_vault"]["existing"]["id"])
pulumi.export("secretValue", example.value)
Parameters

  • key_vault_id (str) – Specifies the ID of the Key Vault instance where the Secret resides, available on the keyvault.KeyVault Data Source / Resource.

  • name (str) – Specifies the name of the Key Vault Secret.