1. Packages
  2. Azure Classic
  3. API Docs
  4. keyvault
  5. AccessPolicy

We recommend using Azure Native.

Azure Classic v6.2.0 published on Friday, Sep 27, 2024 by Pulumi

azure.keyvault.AccessPolicy

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure Classic v6.2.0 published on Friday, Sep 27, 2024 by Pulumi

    Manages a Key Vault Access Policy.

    NOTE: It’s possible to define Key Vault Access Policies both within the azure.keyvault.KeyVault resource via the access_policy block and by using the azure.keyvault.AccessPolicy resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.

    NOTE: Azure permits a maximum of 1024 Access Policies per Key Vault - more information can be found in this document.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    import * as azuread from "@pulumi/azuread";
    
    const current = azure.core.getClientConfig({});
    const exampleResourceGroup = new azure.core.ResourceGroup("example", {
        name: "example-resources",
        location: "West Europe",
    });
    const exampleKeyVault = new azure.keyvault.KeyVault("example", {
        name: "examplekeyvault",
        location: exampleResourceGroup.location,
        resourceGroupName: exampleResourceGroup.name,
        tenantId: current.then(current => current.tenantId),
        skuName: "premium",
    });
    const exampleAccessPolicy = new azure.keyvault.AccessPolicy("example", {
        keyVaultId: exampleKeyVault.id,
        tenantId: current.then(current => current.tenantId),
        objectId: current.then(current => current.objectId),
        keyPermissions: ["Get"],
        secretPermissions: ["Get"],
    });
    const example = azuread.getServicePrincipal({
        displayName: "example-app",
    });
    const example_principal = new azure.keyvault.AccessPolicy("example-principal", {
        keyVaultId: exampleKeyVault.id,
        tenantId: current.then(current => current.tenantId),
        objectId: example.then(example => example.objectId),
        keyPermissions: [
            "Get",
            "List",
            "Encrypt",
            "Decrypt",
        ],
    });
    
    import pulumi
    import pulumi_azure as azure
    import pulumi_azuread as azuread
    
    current = azure.core.get_client_config()
    example_resource_group = azure.core.ResourceGroup("example",
        name="example-resources",
        location="West Europe")
    example_key_vault = azure.keyvault.KeyVault("example",
        name="examplekeyvault",
        location=example_resource_group.location,
        resource_group_name=example_resource_group.name,
        tenant_id=current.tenant_id,
        sku_name="premium")
    example_access_policy = azure.keyvault.AccessPolicy("example",
        key_vault_id=example_key_vault.id,
        tenant_id=current.tenant_id,
        object_id=current.object_id,
        key_permissions=["Get"],
        secret_permissions=["Get"])
    example = azuread.get_service_principal(display_name="example-app")
    example_principal = azure.keyvault.AccessPolicy("example-principal",
        key_vault_id=example_key_vault.id,
        tenant_id=current.tenant_id,
        object_id=example.object_id,
        key_permissions=[
            "Get",
            "List",
            "Encrypt",
            "Decrypt",
        ])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/keyvault"
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := core.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		exampleResourceGroup, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example-resources"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleKeyVault, err := keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
    			Name:              pulumi.String("examplekeyvault"),
    			Location:          exampleResourceGroup.Location,
    			ResourceGroupName: exampleResourceGroup.Name,
    			TenantId:          pulumi.String(current.TenantId),
    			SkuName:           pulumi.String("premium"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = keyvault.NewAccessPolicy(ctx, "example", &keyvault.AccessPolicyArgs{
    			KeyVaultId: exampleKeyVault.ID(),
    			TenantId:   pulumi.String(current.TenantId),
    			ObjectId:   pulumi.String(current.ObjectId),
    			KeyPermissions: pulumi.StringArray{
    				pulumi.String("Get"),
    			},
    			SecretPermissions: pulumi.StringArray{
    				pulumi.String("Get"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		example, err := azuread.LookupServicePrincipal(ctx, &azuread.LookupServicePrincipalArgs{
    			DisplayName: pulumi.StringRef("example-app"),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = keyvault.NewAccessPolicy(ctx, "example-principal", &keyvault.AccessPolicyArgs{
    			KeyVaultId: exampleKeyVault.ID(),
    			TenantId:   pulumi.String(current.TenantId),
    			ObjectId:   pulumi.String(example.ObjectId),
    			KeyPermissions: pulumi.StringArray{
    				pulumi.String("Get"),
    				pulumi.String("List"),
    				pulumi.String("Encrypt"),
    				pulumi.String("Decrypt"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Azure.Core.GetClientConfig.Invoke();
    
        var exampleResourceGroup = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example-resources",
            Location = "West Europe",
        });
    
        var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
        {
            Name = "examplekeyvault",
            Location = exampleResourceGroup.Location,
            ResourceGroupName = exampleResourceGroup.Name,
            TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
            SkuName = "premium",
        });
    
        var exampleAccessPolicy = new Azure.KeyVault.AccessPolicy("example", new()
        {
            KeyVaultId = exampleKeyVault.Id,
            TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
            ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
            KeyPermissions = new[]
            {
                "Get",
            },
            SecretPermissions = new[]
            {
                "Get",
            },
        });
    
        var example = AzureAD.GetServicePrincipal.Invoke(new()
        {
            DisplayName = "example-app",
        });
    
        var example_principal = new Azure.KeyVault.AccessPolicy("example-principal", new()
        {
            KeyVaultId = exampleKeyVault.Id,
            TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
            ObjectId = example.Apply(getServicePrincipalResult => getServicePrincipalResult.ObjectId),
            KeyPermissions = new[]
            {
                "Get",
                "List",
                "Encrypt",
                "Decrypt",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.CoreFunctions;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.keyvault.KeyVault;
    import com.pulumi.azure.keyvault.KeyVaultArgs;
    import com.pulumi.azure.keyvault.AccessPolicy;
    import com.pulumi.azure.keyvault.AccessPolicyArgs;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.inputs.GetServicePrincipalArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = CoreFunctions.getClientConfig();
    
            var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()
                .name("example-resources")
                .location("West Europe")
                .build());
    
            var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
                .name("examplekeyvault")
                .location(exampleResourceGroup.location())
                .resourceGroupName(exampleResourceGroup.name())
                .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
                .skuName("premium")
                .build());
    
            var exampleAccessPolicy = new AccessPolicy("exampleAccessPolicy", AccessPolicyArgs.builder()
                .keyVaultId(exampleKeyVault.id())
                .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
                .objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .keyPermissions("Get")
                .secretPermissions("Get")
                .build());
    
            final var example = AzureadFunctions.getServicePrincipal(GetServicePrincipalArgs.builder()
                .displayName("example-app")
                .build());
    
            var example_principal = new AccessPolicy("example-principal", AccessPolicyArgs.builder()
                .keyVaultId(exampleKeyVault.id())
                .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
                .objectId(example.applyValue(getServicePrincipalResult -> getServicePrincipalResult.objectId()))
                .keyPermissions(            
                    "Get",
                    "List",
                    "Encrypt",
                    "Decrypt")
                .build());
    
        }
    }
    
    resources:
      exampleResourceGroup:
        type: azure:core:ResourceGroup
        name: example
        properties:
          name: example-resources
          location: West Europe
      exampleKeyVault:
        type: azure:keyvault:KeyVault
        name: example
        properties:
          name: examplekeyvault
          location: ${exampleResourceGroup.location}
          resourceGroupName: ${exampleResourceGroup.name}
          tenantId: ${current.tenantId}
          skuName: premium
      exampleAccessPolicy:
        type: azure:keyvault:AccessPolicy
        name: example
        properties:
          keyVaultId: ${exampleKeyVault.id}
          tenantId: ${current.tenantId}
          objectId: ${current.objectId}
          keyPermissions:
            - Get
          secretPermissions:
            - Get
      example-principal:
        type: azure:keyvault:AccessPolicy
        properties:
          keyVaultId: ${exampleKeyVault.id}
          tenantId: ${current.tenantId}
          objectId: ${example.objectId}
          keyPermissions:
            - Get
            - List
            - Encrypt
            - Decrypt
    variables:
      current:
        fn::invoke:
          Function: azure:core:getClientConfig
          Arguments: {}
      example:
        fn::invoke:
          Function: azuread:getServicePrincipal
          Arguments:
            displayName: example-app
    

    Create AccessPolicy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new AccessPolicy(name: string, args: AccessPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def AccessPolicy(resource_name: str,
                     args: AccessPolicyArgs,
                     opts: Optional[ResourceOptions] = None)
    
    @overload
    def AccessPolicy(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     key_vault_id: Optional[str] = None,
                     object_id: Optional[str] = None,
                     tenant_id: Optional[str] = None,
                     application_id: Optional[str] = None,
                     certificate_permissions: Optional[Sequence[str]] = None,
                     key_permissions: Optional[Sequence[str]] = None,
                     secret_permissions: Optional[Sequence[str]] = None,
                     storage_permissions: Optional[Sequence[str]] = None)
    func NewAccessPolicy(ctx *Context, name string, args AccessPolicyArgs, opts ...ResourceOption) (*AccessPolicy, error)
    public AccessPolicy(string name, AccessPolicyArgs args, CustomResourceOptions? opts = null)
    public AccessPolicy(String name, AccessPolicyArgs args)
    public AccessPolicy(String name, AccessPolicyArgs args, CustomResourceOptions options)
    
    type: azure:keyvault:AccessPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args AccessPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AccessPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AccessPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AccessPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AccessPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var accessPolicyResource = new Azure.KeyVault.AccessPolicy("accessPolicyResource", new()
    {
        KeyVaultId = "string",
        ObjectId = "string",
        TenantId = "string",
        ApplicationId = "string",
        CertificatePermissions = new[]
        {
            "string",
        },
        KeyPermissions = new[]
        {
            "string",
        },
        SecretPermissions = new[]
        {
            "string",
        },
        StoragePermissions = new[]
        {
            "string",
        },
    });
    
    example, err := keyvault.NewAccessPolicy(ctx, "accessPolicyResource", &keyvault.AccessPolicyArgs{
    	KeyVaultId:    pulumi.String("string"),
    	ObjectId:      pulumi.String("string"),
    	TenantId:      pulumi.String("string"),
    	ApplicationId: pulumi.String("string"),
    	CertificatePermissions: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	KeyPermissions: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	SecretPermissions: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	StoragePermissions: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    })
    
    var accessPolicyResource = new AccessPolicy("accessPolicyResource", AccessPolicyArgs.builder()
        .keyVaultId("string")
        .objectId("string")
        .tenantId("string")
        .applicationId("string")
        .certificatePermissions("string")
        .keyPermissions("string")
        .secretPermissions("string")
        .storagePermissions("string")
        .build());
    
    access_policy_resource = azure.keyvault.AccessPolicy("accessPolicyResource",
        key_vault_id="string",
        object_id="string",
        tenant_id="string",
        application_id="string",
        certificate_permissions=["string"],
        key_permissions=["string"],
        secret_permissions=["string"],
        storage_permissions=["string"])
    
    const accessPolicyResource = new azure.keyvault.AccessPolicy("accessPolicyResource", {
        keyVaultId: "string",
        objectId: "string",
        tenantId: "string",
        applicationId: "string",
        certificatePermissions: ["string"],
        keyPermissions: ["string"],
        secretPermissions: ["string"],
        storagePermissions: ["string"],
    });
    
    type: azure:keyvault:AccessPolicy
    properties:
        applicationId: string
        certificatePermissions:
            - string
        keyPermissions:
            - string
        keyVaultId: string
        objectId: string
        secretPermissions:
            - string
        storagePermissions:
            - string
        tenantId: string
    

    AccessPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The AccessPolicy resource accepts the following input properties:

    KeyVaultId string
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    ObjectId string
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    TenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
    ApplicationId string
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    CertificatePermissions List<string>
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    KeyPermissions List<string>
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    SecretPermissions List<string>
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    StoragePermissions List<string>
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    KeyVaultId string
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    ObjectId string
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    TenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
    ApplicationId string
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    CertificatePermissions []string
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    KeyPermissions []string
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    SecretPermissions []string
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    StoragePermissions []string
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    keyVaultId String
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    objectId String
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    tenantId String
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
    applicationId String
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    certificatePermissions List<String>
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    keyPermissions List<String>
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    secretPermissions List<String>
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storagePermissions List<String>
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    keyVaultId string
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    objectId string
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    tenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
    applicationId string
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    certificatePermissions string[]
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    keyPermissions string[]
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    secretPermissions string[]
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storagePermissions string[]
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    key_vault_id str
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    object_id str
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    tenant_id str
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
    application_id str
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    certificate_permissions Sequence[str]
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    key_permissions Sequence[str]
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    secret_permissions Sequence[str]
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storage_permissions Sequence[str]
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    keyVaultId String
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    objectId String
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    tenantId String
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
    applicationId String
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    certificatePermissions List<String>
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    keyPermissions List<String>
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    secretPermissions List<String>
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storagePermissions List<String>
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AccessPolicy resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing AccessPolicy Resource

    Get an existing AccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AccessPolicyState, opts?: CustomResourceOptions): AccessPolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            application_id: Optional[str] = None,
            certificate_permissions: Optional[Sequence[str]] = None,
            key_permissions: Optional[Sequence[str]] = None,
            key_vault_id: Optional[str] = None,
            object_id: Optional[str] = None,
            secret_permissions: Optional[Sequence[str]] = None,
            storage_permissions: Optional[Sequence[str]] = None,
            tenant_id: Optional[str] = None) -> AccessPolicy
    func GetAccessPolicy(ctx *Context, name string, id IDInput, state *AccessPolicyState, opts ...ResourceOption) (*AccessPolicy, error)
    public static AccessPolicy Get(string name, Input<string> id, AccessPolicyState? state, CustomResourceOptions? opts = null)
    public static AccessPolicy get(String name, Output<String> id, AccessPolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    ApplicationId string
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    CertificatePermissions List<string>
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    KeyPermissions List<string>
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    KeyVaultId string
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    ObjectId string
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    SecretPermissions List<string>
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    StoragePermissions List<string>
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    TenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
    ApplicationId string
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    CertificatePermissions []string
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    KeyPermissions []string
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    KeyVaultId string
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    ObjectId string
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    SecretPermissions []string
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    StoragePermissions []string
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    TenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
    applicationId String
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    certificatePermissions List<String>
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    keyPermissions List<String>
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    keyVaultId String
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    objectId String
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    secretPermissions List<String>
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storagePermissions List<String>
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    tenantId String
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
    applicationId string
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    certificatePermissions string[]
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    keyPermissions string[]
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    keyVaultId string
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    objectId string
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    secretPermissions string[]
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storagePermissions string[]
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    tenantId string
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
    application_id str
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    certificate_permissions Sequence[str]
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    key_permissions Sequence[str]
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    key_vault_id str
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    object_id str
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    secret_permissions Sequence[str]
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storage_permissions Sequence[str]
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    tenant_id str
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.
    applicationId String
    The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.
    certificatePermissions List<String>
    List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update.
    keyPermissions List<String>
    List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy and SetRotationPolicy.
    keyVaultId String
    Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.
    objectId String
    The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azuread_service_principal.object_id. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.
    secretPermissions List<String>
    List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set.
    storagePermissions List<String>
    List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update.
    tenantId String
    The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

    Import

    Key Vault Access Policies can be imported using the Resource ID of the Key Vault, plus some additional metadata.

    If both an object_id and application_id are specified, then the Access Policy can be imported using the following code:

    $ pulumi import azure:keyvault/accessPolicy:AccessPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111/applicationId/22222222-2222-2222-2222-222222222222
    

    where 11111111-1111-1111-1111-111111111111 is the object_id and 22222222-2222-2222-2222-222222222222 is the application_id.


    Access Policies with an object_id but no application_id can be imported using the following command:

    $ pulumi import azure:keyvault/accessPolicy:AccessPolicy example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111
    

    where 11111111-1111-1111-1111-111111111111 is the object_id.

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Azure Classic pulumi/pulumi-azure
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azurerm Terraform Provider.
    azure logo

    We recommend using Azure Native.

    Azure Classic v6.2.0 published on Friday, Sep 27, 2024 by Pulumi