Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Microsoft.KeyVault vaults/keys
Remarks
For guidance on using key vaults for secure values, see Manage secrets by using Bicep.
For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.
For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.
Bicep resource definition
The vaults/keys resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/keys resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KeyVault/vaults/keys@2026-03-01-preview' = {
parent: resourceSymbolicName
name: 'string'
properties: {
attributes: {
enabled: bool
exp: int
exportable: bool
nbf: int
}
curveName: 'string'
keyOps: [
'string'
]
keySize: int
kty: 'string'
release_policy: {
contentType: 'string'
data: 'string'
}
rotationPolicy: {
attributes: {
expiryTime: 'string'
}
lifetimeActions: [
{
action: {
type: 'string'
}
trigger: {
timeAfterCreate: 'string'
timeBeforeExpiry: 'string'
}
}
]
}
}
tags: {
{customized property}: 'string'
}
}
Property Values
Microsoft.KeyVault/vaults/keys
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{1,127}$ (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: vaults |
| properties | The properties of the key to be created. | KeyProperties (required) |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
Action
| Name | Description | Value |
|---|---|---|
| type | The type of action. | 'notify' 'rotate' |
KeyAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether or not the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| exportable | Indicates if the private key can be exported. | bool |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |
KeyCreateParametersTags
| Name | Description | Value |
|---|
KeyProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the key. | KeyAttributes |
| curveName | The elliptic curve name. For valid values, see JsonWebKeyCurveName. Default for EC and EC-HSM keys is P-256 | 'P-256' 'P-256K' 'P-384' 'P-521' |
| keyOps | String array containing any of: 'decrypt' 'encrypt' 'import' 'release' 'sign' 'unwrapKey' 'verify' 'wrapKey' |
|
| keySize | The key size in bits. For example: 2048, 3072, or 4096 for RSA. Default for RSA and RSA-HSM keys is 2048. Exception made for bring your own key (BYOK), key exchange keys default to 4096. | int |
| kty | The type of the key. For valid values, see JsonWebKeyType. | 'EC' 'EC-HSM' 'RSA' 'RSA-HSM' |
| release_policy | Key release policy in response. It will be used for both output and input. Omitted if empty | KeyReleasePolicy |
| rotationPolicy | Key rotation policy in response. It will be used for both output and input. Omitted if empty | RotationPolicy |
KeyReleasePolicy
| Name | Description | Value |
|---|---|---|
| contentType | Content type and version of key release policy | string |
| data | Blob encoding the policy rules under which the key can be released. | string |
KeyRotationPolicyAttributes
| Name | Description | Value |
|---|---|---|
| expiryTime | The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. | string |
LifetimeAction
| Name | Description | Value |
|---|---|---|
| action | The action of key rotation policy lifetimeAction. | Action |
| trigger | The trigger of key rotation policy lifetimeAction. | Trigger |
RotationPolicy
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of key rotation policy. | KeyRotationPolicyAttributes |
| lifetimeActions | The lifetimeActions for key rotation action. | LifetimeAction[] |
Trigger
| Name | Description | Value |
|---|---|---|
| timeAfterCreate | The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |
| timeBeforeExpiry | The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |
Usage Examples
Bicep Samples
A basic example of deploying Key Vault Keys.
param resourceName string = 'acctest0001'
param location string = 'westeurope'
resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: resourceName
location: location
properties: {
sku: {
family: 'A'
name: 'standard'
}
accessPolicies: []
enableSoftDelete: true
enablePurgeProtection: true
tenantId: tenant().tenantId
}
}
resource putAccesspolicy 'Microsoft.KeyVault/vaults/accessPolicies@2023-02-01' = {
name: 'add'
parent: vault
properties: {
accessPolicies: [
{
objectId: deployer().objectId
permissions: {
certificates: [
'ManageContacts'
]
keys: [
'Get'
'Create'
'Delete'
'List'
'Restore'
'Recover'
'UnwrapKey'
'WrapKey'
'Purge'
'Encrypt'
'Decrypt'
'Sign'
'Verify'
]
secrets: [
'Get'
]
storage: []
}
tenantId: tenant().tenantId
}
]
}
}
resource putKey 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {
name: resourceName
parent: vault
dependsOn: [
putAccesspolicy
]
properties: {
keyOps: [
'encrypt'
'decrypt'
'sign'
'verify'
'wrapKey'
'unwrapKey'
]
keySize: 2048
kty: 'RSA'
}
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description |
|---|---|
| Key Vault - Key | AVM Child Module for Key Vault - Key |
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Azure Storage Account Encryption with customer-managed key | This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault. |
ARM template resource definition
The vaults/keys resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/keys resource, add the following JSON to your template.
{
"type": "Microsoft.KeyVault/vaults/keys",
"apiVersion": "2026-03-01-preview",
"name": "string",
"properties": {
"attributes": {
"enabled": "bool",
"exp": "int",
"exportable": "bool",
"nbf": "int"
},
"curveName": "string",
"keyOps": [ "string" ],
"keySize": "int",
"kty": "string",
"release_policy": {
"contentType": "string",
"data": "string"
},
"rotationPolicy": {
"attributes": {
"expiryTime": "string"
},
"lifetimeActions": [
{
"action": {
"type": "string"
},
"trigger": {
"timeAfterCreate": "string",
"timeBeforeExpiry": "string"
}
}
]
}
},
"tags": {
"{customized property}": "string"
}
}
Property Values
Microsoft.KeyVault/vaults/keys
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2026-03-01-preview' |
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{1,127}$ (required) |
| properties | The properties of the key to be created. | KeyProperties (required) |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.KeyVault/vaults/keys' |
Action
| Name | Description | Value |
|---|---|---|
| type | The type of action. | 'notify' 'rotate' |
KeyAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether or not the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| exportable | Indicates if the private key can be exported. | bool |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |
KeyCreateParametersTags
| Name | Description | Value |
|---|
KeyProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the key. | KeyAttributes |
| curveName | The elliptic curve name. For valid values, see JsonWebKeyCurveName. Default for EC and EC-HSM keys is P-256 | 'P-256' 'P-256K' 'P-384' 'P-521' |
| keyOps | String array containing any of: 'decrypt' 'encrypt' 'import' 'release' 'sign' 'unwrapKey' 'verify' 'wrapKey' |
|
| keySize | The key size in bits. For example: 2048, 3072, or 4096 for RSA. Default for RSA and RSA-HSM keys is 2048. Exception made for bring your own key (BYOK), key exchange keys default to 4096. | int |
| kty | The type of the key. For valid values, see JsonWebKeyType. | 'EC' 'EC-HSM' 'RSA' 'RSA-HSM' |
| release_policy | Key release policy in response. It will be used for both output and input. Omitted if empty | KeyReleasePolicy |
| rotationPolicy | Key rotation policy in response. It will be used for both output and input. Omitted if empty | RotationPolicy |
KeyReleasePolicy
| Name | Description | Value |
|---|---|---|
| contentType | Content type and version of key release policy | string |
| data | Blob encoding the policy rules under which the key can be released. | string |
KeyRotationPolicyAttributes
| Name | Description | Value |
|---|---|---|
| expiryTime | The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. | string |
LifetimeAction
| Name | Description | Value |
|---|---|---|
| action | The action of key rotation policy lifetimeAction. | Action |
| trigger | The trigger of key rotation policy lifetimeAction. | Trigger |
RotationPolicy
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of key rotation policy. | KeyRotationPolicyAttributes |
| lifetimeActions | The lifetimeActions for key rotation action. | LifetimeAction[] |
Trigger
| Name | Description | Value |
|---|---|---|
| timeAfterCreate | The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |
| timeBeforeExpiry | The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| Azure Storage Account Encryption with customer-managed key 👁 Deploy to Azure |
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault. |
| Create a Key in Azure KeyVault 👁 Deploy to Azure |
This module allows you to create a key in an existing KeyVault. |
Terraform (AzAPI provider) resource definition
The vaults/keys resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/vaults/keys resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KeyVault/vaults/keys@2026-03-01-preview"
name = "string"
parent_id = "string"
tags = {
{customized property} = "string"
}
body = {
properties = {
attributes = {
enabled = bool
exp = int
exportable = bool
nbf = int
}
curveName = "string"
keyOps = [
"string"
]
keySize = int
kty = "string"
release_policy = {
contentType = "string"
data = "string"
}
rotationPolicy = {
attributes = {
expiryTime = "string"
}
lifetimeActions = [
{
action = {
type = "string"
}
trigger = {
timeAfterCreate = "string"
timeBeforeExpiry = "string"
}
}
]
}
}
}
}
Property Values
Microsoft.KeyVault/vaults/keys
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9-]{1,127}$ (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: vaults |
| properties | The properties of the key to be created. | KeyProperties (required) |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.KeyVault/vaults/keys@2026-03-01-preview" |
Action
| Name | Description | Value |
|---|---|---|
| type | The type of action. | 'notify' 'rotate' |
KeyAttributes
| Name | Description | Value |
|---|---|---|
| enabled | Determines whether or not the object is enabled. | bool |
| exp | Expiry date in seconds since 1970-01-01T00:00:00Z. | int |
| exportable | Indicates if the private key can be exported. | bool |
| nbf | Not before date in seconds since 1970-01-01T00:00:00Z. | int |
KeyCreateParametersTags
| Name | Description | Value |
|---|
KeyProperties
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of the key. | KeyAttributes |
| curveName | The elliptic curve name. For valid values, see JsonWebKeyCurveName. Default for EC and EC-HSM keys is P-256 | 'P-256' 'P-256K' 'P-384' 'P-521' |
| keyOps | String array containing any of: 'decrypt' 'encrypt' 'import' 'release' 'sign' 'unwrapKey' 'verify' 'wrapKey' |
|
| keySize | The key size in bits. For example: 2048, 3072, or 4096 for RSA. Default for RSA and RSA-HSM keys is 2048. Exception made for bring your own key (BYOK), key exchange keys default to 4096. | int |
| kty | The type of the key. For valid values, see JsonWebKeyType. | 'EC' 'EC-HSM' 'RSA' 'RSA-HSM' |
| release_policy | Key release policy in response. It will be used for both output and input. Omitted if empty | KeyReleasePolicy |
| rotationPolicy | Key rotation policy in response. It will be used for both output and input. Omitted if empty | RotationPolicy |
KeyReleasePolicy
| Name | Description | Value |
|---|---|---|
| contentType | Content type and version of key release policy | string |
| data | Blob encoding the policy rules under which the key can be released. | string |
KeyRotationPolicyAttributes
| Name | Description | Value |
|---|---|---|
| expiryTime | The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'. | string |
LifetimeAction
| Name | Description | Value |
|---|---|---|
| action | The action of key rotation policy lifetimeAction. | Action |
| trigger | The trigger of key rotation policy lifetimeAction. | Trigger |
RotationPolicy
| Name | Description | Value |
|---|---|---|
| attributes | The attributes of key rotation policy. | KeyRotationPolicyAttributes |
| lifetimeActions | The lifetimeActions for key rotation action. | LifetimeAction[] |
Trigger
| Name | Description | Value |
|---|---|---|
| timeAfterCreate | The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |
| timeBeforeExpiry | The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'. | string |
Usage Examples
Terraform Samples
A basic example of deploying Key Vault Keys.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
azurerm = {
source = "hashicorp/azurerm"
}
}
}
provider "azurerm" {
features {
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
data "azurerm_client_config" "current" {
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "vault" {
type = "Microsoft.KeyVault/vaults@2023-02-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
properties = {
sku = {
family = "A"
name = "standard"
}
accessPolicies = []
enableSoftDelete = true
enablePurgeProtection = true
tenantId = data.azurerm_client_config.current.tenant_id
}
}
schema_validation_enabled = false
response_export_values = ["*"]
lifecycle {
ignore_changes = [body.properties.accessPolicies]
}
}
resource "azapi_resource_action" "put_accessPolicy" {
type = "Microsoft.KeyVault/vaults/accessPolicies@2023-02-01"
resource_id = "${azapi_resource.vault.id}/accessPolicies/add"
method = "PUT"
body = {
properties = {
accessPolicies = [
{
objectId = data.azurerm_client_config.current.object_id
permissions = {
certificates = [
"ManageContacts",
]
keys = [
"Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"
]
secrets = [
"Get",
]
storage = [
]
}
tenantId = data.azurerm_client_config.current.tenant_id
},
]
}
}
response_export_values = ["*"]
}
data "azapi_resource_id" "key" {
type = "Microsoft.KeyVault/vaults/keys@2023-02-01"
parent_id = azapi_resource.vault.id
name = var.resource_name
}
resource "azapi_resource_action" "put_key" {
type = "Microsoft.KeyVault/vaults/keys@2023-02-01"
resource_id = data.azapi_resource_id.key.id
method = "PUT"
body = {
properties = {
keySize = 2048
kty = "RSA"
keyOps = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]
}
}
response_export_values = ["*"]
depends_on = [azapi_resource_action.put_accessPolicy]
}
Feedback
Was this page helpful?