Key
Manages a Key Vault Key.
Example Usage
Note: To use this resource, your client should have RBAC roles with permissions like
Key Vault Crypto OfficerorKey Vault Administratoror an assigned Key Vault Access Policy with permissionsCreate,Delete,Get,Purge,Recover,UpdateandGetRotationPolicyfor keys without Rotation Policy. IncludeSetRotationPolicyfor keys with Rotation Policy. Note: The Azure Provider includes a Feature Toggle which will purge a Key Vault Key resource on destroy, rather than the default soft-delete. Seepurge_soft_deleted_keys_on_destroyfor more information.
Additional Examples
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const current = azure.core.getClientConfig({});
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleKeyVault = new azure.keyvault.KeyVault("example", {
name: "examplekeyvault",
location: example.location,
resourceGroupName: example.name,
tenantId: current.then(current => current.tenantId),
skuName: "premium",
softDeleteRetentionDays: 7,
accessPolicies: [{
tenantId: current.then(current => current.tenantId),
objectId: current.then(current => current.objectId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"GetRotationPolicy",
"SetRotationPolicy",
],
secretPermissions: ["Set"],
}],
});
const generated = new azure.keyvault.Key("generated", {
name: "generated-certificate",
keyVaultId: exampleKeyVault.id,
keyType: "RSA",
keySize: 2048,
keyOpts: [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
rotationPolicy: {
automatic: {
timeBeforeExpiry: "P30D",
},
expireAfter: "P90D",
notifyBeforeExpiry: "P29D",
},
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
current = azure.core.get_client_config()
example = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_key_vault = azure.keyvault.KeyVault("example",
name="examplekeyvault",
location=example.location,
resource_group_name=example.name,
tenant_id=current.tenant_id,
sku_name="premium",
soft_delete_retention_days=7,
access_policies=[{
"tenant_id": current.tenant_id,
"object_id": current.object_id,
"key_permissions": [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"GetRotationPolicy",
"SetRotationPolicy",
],
"secret_permissions": ["Set"],
}])
generated = azure.keyvault.Key("generated",
name="generated-certificate",
key_vault_id=example_key_vault.id,
key_type="RSA",
key_size=2048,
key_opts=[
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
rotation_policy={
"automatic": {
"time_before_expiry": "P30D",
},
"expire_after": "P90D",
"notify_before_expiry": "P29D",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var current = Azure.Core.GetClientConfig.Invoke();
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
{
Name = "examplekeyvault",
Location = example.Location,
ResourceGroupName = example.Name,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
SkuName = "premium",
SoftDeleteRetentionDays = 7,
AccessPolicies = new[]
{
new Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
{
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"GetRotationPolicy",
"SetRotationPolicy",
},
SecretPermissions = new[]
{
"Set",
},
},
},
});
var generated = new Azure.KeyVault.Key("generated", new()
{
Name = "generated-certificate",
KeyVaultId = exampleKeyVault.Id,
KeyType = "RSA",
KeySize = 2048,
KeyOpts = new[]
{
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
},
RotationPolicy = new Azure.KeyVault.Inputs.KeyRotationPolicyArgs
{
Automatic = new Azure.KeyVault.Inputs.KeyRotationPolicyAutomaticArgs
{
TimeBeforeExpiry = "P30D",
},
ExpireAfter = "P90D",
NotifyBeforeExpiry = "P29D",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/keyvault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := core.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleKeyVault, err := keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
Name: pulumi.String("examplekeyvault"),
Location: example.Location,
ResourceGroupName: example.Name,
TenantId: pulumi.String(current.TenantId),
SkuName: pulumi.String("premium"),
SoftDeleteRetentionDays: pulumi.Int(7),
AccessPolicies: keyvault.KeyVaultAccessPolicyArray{
&keyvault.KeyVaultAccessPolicyArgs{
TenantId: pulumi.String(current.TenantId),
ObjectId: pulumi.String(current.ObjectId),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("GetRotationPolicy"),
pulumi.String("SetRotationPolicy"),
},
SecretPermissions: pulumi.StringArray{
pulumi.String("Set"),
},
},
},
})
if err != nil {
return err
}
_, err = keyvault.NewKey(ctx, "generated", &keyvault.KeyArgs{
Name: pulumi.String("generated-certificate"),
KeyVaultId: exampleKeyVault.ID(),
KeyType: pulumi.String("RSA"),
KeySize: pulumi.Int(2048),
KeyOpts: pulumi.StringArray{
pulumi.String("decrypt"),
pulumi.String("encrypt"),
pulumi.String("sign"),
pulumi.String("unwrapKey"),
pulumi.String("verify"),
pulumi.String("wrapKey"),
},
RotationPolicy: &keyvault.KeyRotationPolicyArgs{
Automatic: &keyvault.KeyRotationPolicyAutomaticArgs{
TimeBeforeExpiry: pulumi.String("P30D"),
},
ExpireAfter: pulumi.String("P90D"),
NotifyBeforeExpiry: pulumi.String("P29D"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.inputs.KeyVaultAccessPolicyArgs;
import com.pulumi.azure.keyvault.Key;
import com.pulumi.azure.keyvault.KeyArgs;
import com.pulumi.azure.keyvault.inputs.KeyRotationPolicyArgs;
import com.pulumi.azure.keyvault.inputs.KeyRotationPolicyAutomaticArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getClientConfig();
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
.name("examplekeyvault")
.location(example.location())
.resourceGroupName(example.name())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.skuName("premium")
.softDeleteRetentionDays(7)
.accessPolicies(KeyVaultAccessPolicyArgs.builder()
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"GetRotationPolicy",
"SetRotationPolicy")
.secretPermissions("Set")
.build())
.build());
var generated = new Key("generated", KeyArgs.builder()
.name("generated-certificate")
.keyVaultId(exampleKeyVault.id())
.keyType("RSA")
.keySize(2048)
.keyOpts(
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey")
.rotationPolicy(KeyRotationPolicyArgs.builder()
.automatic(KeyRotationPolicyAutomaticArgs.builder()
.timeBeforeExpiry("P30D")
.build())
.expireAfter("P90D")
.notifyBeforeExpiry("P29D")
.build())
.build());
}
}Content copied to clipboard
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-resources
location: West Europe
exampleKeyVault:
type: azure:keyvault:KeyVault
name: example
properties:
name: examplekeyvault
location: ${example.location}
resourceGroupName: ${example.name}
tenantId: ${current.tenantId}
skuName: premium
softDeleteRetentionDays: 7
accessPolicies:
- tenantId: ${current.tenantId}
objectId: ${current.objectId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- GetRotationPolicy
- SetRotationPolicy
secretPermissions:
- Set
generated:
type: azure:keyvault:Key
properties:
name: generated-certificate
keyVaultId: ${exampleKeyVault.id}
keyType: RSA
keySize: 2048
keyOpts:
- decrypt
- encrypt
- sign
- unwrapKey
- verify
- wrapKey
rotationPolicy:
automatic:
timeBeforeExpiry: P30D
expireAfter: P90D
notifyBeforeExpiry: P29D
variables:
current:
fn::invoke:
function: azure:core:getClientConfig
arguments: {}Content copied to clipboard
Import
Key Vault Key which is Enabled can be imported using the resource id, e.g.
$ pulumi import azure:keyvault/key:Key example "https://example-keyvault.vault.azure.net/keys/example/fdf067c93bbb4b22bff4d8b7a9a56217"Content copied to clipboard
Properties
Link copied to clipboard
Specifies the curve to use when creating an EC key. Possible values are P-256, P-256K, P-384, and P-521. This field will be required in a future release if key_type is EC or EC-HSM. The API will default to P-256 if nothing is specified. Changing this forces a new resource to be created.
Link copied to clipboard
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
Link copied to clipboard
The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created.
Link copied to clipboard
Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Link copied to clipboard
The OpenSSH encoded public key of this Key Vault Key.
Link copied to clipboard
The PEM encoded public key of this Key Vault Key.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
The (Versioned) ID for this Key Vault Key. This property points to a specific version of a Key Vault Key, as such using this won't auto-rotate values if used in other Azure Services.
Link copied to clipboard
The Versionless ID of the Key Vault Key. This property allows other Azure Services (that support it) to auto-rotate their value when the Key Vault Key is updated.
Link copied to clipboard
A rotation_policy block as defined below.
Link copied to clipboard
The Base ID of the Key Vault Key.