Access
data class AccessPolicyArgs(val applicationId: Output<String>? = null, val certificatePermissions: Output<List<String>>? = null, val keyPermissions: Output<List<String>>? = null, val keyVaultId: Output<String>? = null, val objectId: Output<String>? = null, val secretPermissions: Output<List<String>>? = null, val storagePermissions: Output<List<String>>? = null, val tenantId: Output<String>? = null) : ConvertibleToJava<AccessPolicyArgs>
Manages a Key Vault Access Policy.
NOTE: It's possible to define Key Vault Access Policies both within the
azure.keyvault.KeyVaultresource via theaccess_policyblock and by using theazure.keyvault.AccessPolicyresource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts. NOTE: Azure permits a maximum of 1024 Access Policies per Key Vault - more information can be found in this document.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
import * as azuread from "@pulumi/azuread";
const current = azure.core.getClientConfig({});
const exampleResourceGroup = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleKeyVault = new azure.keyvault.KeyVault("example", {
name: "examplekeyvault",
location: exampleResourceGroup.location,
resourceGroupName: exampleResourceGroup.name,
tenantId: current.then(current => current.tenantId),
skuName: "premium",
});
const exampleAccessPolicy = new azure.keyvault.AccessPolicy("example", {
keyVaultId: exampleKeyVault.id,
tenantId: current.then(current => current.tenantId),
objectId: current.then(current => current.objectId),
keyPermissions: ["Get"],
secretPermissions: ["Get"],
});
const example = azuread.getServicePrincipal({
displayName: "example-app",
});
const example_principal = new azure.keyvault.AccessPolicy("example-principal", {
keyVaultId: exampleKeyVault.id,
tenantId: current.then(current => current.tenantId),
objectId: example.then(example => example.objectId),
keyPermissions: [
"Get",
"List",
"Encrypt",
"Decrypt",
],
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
import pulumi_azuread as azuread
current = azure.core.get_client_config()
example_resource_group = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_key_vault = azure.keyvault.KeyVault("example",
name="examplekeyvault",
location=example_resource_group.location,
resource_group_name=example_resource_group.name,
tenant_id=current.tenant_id,
sku_name="premium")
example_access_policy = azure.keyvault.AccessPolicy("example",
key_vault_id=example_key_vault.id,
tenant_id=current.tenant_id,
object_id=current.object_id,
key_permissions=["Get"],
secret_permissions=["Get"])
example = azuread.get_service_principal(display_name="example-app")
example_principal = azure.keyvault.AccessPolicy("example-principal",
key_vault_id=example_key_vault.id,
tenant_id=current.tenant_id,
object_id=example.object_id,
key_permissions=[
"Get",
"List",
"Encrypt",
"Decrypt",
])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = Azure.Core.GetClientConfig.Invoke();
var exampleResourceGroup = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
{
Name = "examplekeyvault",
Location = exampleResourceGroup.Location,
ResourceGroupName = exampleResourceGroup.Name,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
SkuName = "premium",
});
var exampleAccessPolicy = new Azure.KeyVault.AccessPolicy("example", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
KeyPermissions = new[]
{
"Get",
},
SecretPermissions = new[]
{
"Get",
},
});
var example = AzureAD.GetServicePrincipal.Invoke(new()
{
DisplayName = "example-app",
});
var example_principal = new Azure.KeyVault.AccessPolicy("example-principal", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
ObjectId = example.Apply(getServicePrincipalResult => getServicePrincipalResult.ObjectId),
KeyPermissions = new[]
{
"Get",
"List",
"Encrypt",
"Decrypt",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/keyvault"
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := core.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
exampleResourceGroup, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleKeyVault, err := keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
Name: pulumi.String("examplekeyvault"),
Location: exampleResourceGroup.Location,
ResourceGroupName: exampleResourceGroup.Name,
TenantId: pulumi.String(current.TenantId),
SkuName: pulumi.String("premium"),
})
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: pulumi.String(current.TenantId),
ObjectId: pulumi.String(current.ObjectId),
KeyPermissions: pulumi.StringArray{
pulumi.String("Get"),
},
SecretPermissions: pulumi.StringArray{
pulumi.String("Get"),
},
})
if err != nil {
return err
}
example, err := azuread.LookupServicePrincipal(ctx, &azuread.LookupServicePrincipalArgs{
DisplayName: pulumi.StringRef("example-app"),
}, nil)
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example-principal", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: pulumi.String(current.TenantId),
ObjectId: pulumi.String(example.ObjectId),
KeyPermissions: pulumi.StringArray{
pulumi.String("Get"),
pulumi.String("List"),
pulumi.String("Encrypt"),
pulumi.String("Decrypt"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.AccessPolicy;
import com.pulumi.azure.keyvault.AccessPolicyArgs;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getClientConfig();
var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
.name("examplekeyvault")
.location(exampleResourceGroup.location())
.resourceGroupName(exampleResourceGroup.name())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.skuName("premium")
.build());
var exampleAccessPolicy = new AccessPolicy("exampleAccessPolicy", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.keyPermissions("Get")
.secretPermissions("Get")
.build());
final var example = AzureadFunctions.getServicePrincipal(GetServicePrincipalArgs.builder()
.displayName("example-app")
.build());
var example_principal = new AccessPolicy("example-principal", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(example.applyValue(getServicePrincipalResult -> getServicePrincipalResult.objectId()))
.keyPermissions(
"Get",
"List",
"Encrypt",
"Decrypt")
.build());
}
}Content copied to clipboard
resources:
exampleResourceGroup:
type: azure:core:ResourceGroup
name: example
properties:
name: example-resources
location: West Europe
exampleKeyVault:
type: azure:keyvault:KeyVault
name: example
properties:
name: examplekeyvault
location: ${exampleResourceGroup.location}
resourceGroupName: ${exampleResourceGroup.name}
tenantId: ${current.tenantId}
skuName: premium
exampleAccessPolicy:
type: azure:keyvault:AccessPolicy
name: example
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${current.tenantId}
objectId: ${current.objectId}
keyPermissions:
- Get
secretPermissions:
- Get
example-principal:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${current.tenantId}
objectId: ${example.objectId}
keyPermissions:
- Get
- List
- Encrypt
- Decrypt
variables:
current:
fn::invoke:
function: azure:core:getClientConfig
arguments: {}
example:
fn::invoke:
function: azuread:getServicePrincipal
arguments:
displayName: example-appContent copied to clipboard
Import
Key Vault Access Policies can be imported using the Resource ID of the Key Vault, plus some additional metadata. If both an object_id and application_id are specified, then the Access Policy can be imported using the following code:
$ pulumi import azure:keyvault/accessPolicy:AccessPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111/applicationId/22222222-2222-2222-2222-222222222222Content copied to clipboard
where 11111111-1111-1111-1111-111111111111 is the object_id and 22222222-2222-2222-2222-222222222222 is the application_id.
Access Policies with an object_id but no application_id can be imported using the following command:
$ pulumi import azure:keyvault/accessPolicy:AccessPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111Content copied to clipboard
where 11111111-1111-1111-1111-111111111111 is the object_id.
Constructors
Link copied to clipboard
constructor(applicationId: Output<String>? = null, certificatePermissions: Output<List<String>>? = null, keyPermissions: Output<List<String>>? = null, keyVaultId: Output<String>? = null, objectId: Output<String>? = null, secretPermissions: Output<List<String>>? = null, storagePermissions: Output<List<String>>? = null, tenantId: Output<String>? = null)
Properties
Link copied to clipboard
The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
Link copied to clipboard
List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
Link copied to clipboard
List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
Link copied to clipboard
Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
Link copied to clipboard
The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
Link copied to clipboard
List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
Link copied to clipboard
List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.