Access
Manages a Key Vault Access Policy.
NOTE: It's possible to define Key Vault Access Policies both within the
azure.keyvault.KeyVaultresource via theaccess_policyblock and by using theazure.keyvault.AccessPolicyresource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts. NOTE: Azure permits a maximum of 1024 Access Policies per Key Vault - more information can be found in this document.
Example Usage
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.AccessPolicy;
import com.pulumi.azure.keyvault.AccessPolicyArgs;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getClientConfig();
var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()
.location("West Europe")
.build());
var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
.location(exampleResourceGroup.location())
.resourceGroupName(exampleResourceGroup.name())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.skuName("premium")
.build());
var exampleAccessPolicy = new AccessPolicy("exampleAccessPolicy", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.keyPermissions("Get")
.secretPermissions("Get")
.build());
final var exampleServicePrincipal = AzureadFunctions.getServicePrincipal(GetServicePrincipalArgs.builder()
.displayName("example-app")
.build());
var example_principal = new AccessPolicy("example-principal", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(exampleServicePrincipal.applyValue(getServicePrincipalResult -> getServicePrincipalResult.objectId()))
.keyPermissions(
"Get",
"List",
"Encrypt",
"Decrypt")
.build());
}
}Import
Key Vault Access Policies can be imported using the Resource ID of the Key Vault, plus some additional metadata. If both an object_id and application_id are specified, then the Access Policy can be imported using the following code
$ pulumi import azure:keyvault/accessPolicy:AccessPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111/applicationId/22222222-2222-2222-2222-222222222222where 11111111-1111-1111-1111-111111111111 is the object_id and 22222222-2222-2222-2222-222222222222 is the application_id. --- Access Policies with an object_id but no application_id can be imported using the following command
$ pulumi import azure:keyvault/accessPolicy:AccessPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111where 11111111-1111-1111-1111-111111111111 is the object_id.
Properties
The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.