Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Azure Key Vault REST API reference
Use Key Vault to safeguard and manage cryptographic keys, certificates and secrets used by cloud applications and services.
Key Vault operations
| Operation | Description |
|---|---|
| Check Name Availability | Checks that the vault name is valid and is not already in use. |
| Create Or Update | Create or update a key vault in the specified subscription. |
| Update Access Policy | Update access policies in a key vault in the specified subscription. |
| Get | Gets the specified Azure key vault. |
| List | The List operation gets information about the vaults associated with the subscription. |
| List By Resource Group | The List operation gets information about the vaults associated with the subscription and within the specified resource group. |
| List By Subscription | The List operation gets information about the vaults associated with the subscription. |
| Update | Update a key vault in the specified subscription. |
| Delete | Deletes the specified Azure key vault. |
| Get Deleted | Gets the deleted Azure key vault. |
| List Deleted | Gets information about the deleted vaults in a subscription. |
| Purge | Permanently deletes the specified vault. |
Private link operations
| Operation | Description |
|---|---|
| List By Vault | Gets the private link resources supported for the key vault. |
Private endpoint connections operations
| Operation | Description |
|---|---|
| Get | Gets the specified private endpoint connection associated with the key vault. |
| List By Resource | The List operation gets information about the private endpoint connections associated with the vault. |
| Put | Updates the specified private endpoint connection associated with the key vault. |
| Delete | Deletes the specified private endpoint connection associated with the key vault. |
Managed HSM operations
| Operation | Description |
|---|---|
| Create Or Update | Create or update a managed HSM Pool in the specified subscription. |
| Get | Gets the specified managed HSM Pool. |
| List By Resource Group | The List operation gets information about the managed HSM Pools associated with the subscription and within the specified resource group. |
| List By Subscription | The List operation gets information about the managed HSM Pools associated with the subscription. |
| Update | Update a managed HSM Pool in the specified subscription. |
| Get Deleted | Gets the specified deleted managed HSM. |
| List Deleted | The List operation gets information about the deleted managed HSMs associated with the subscription. |
| Delete | Deletes the specified managed HSM Pool. |
| Purge Deleted | Permanently deletes the specified managed HSM. |
Private link operations
| Operation | Description |
|---|---|
| List By MHSM Resource | Gets the private link resources supported for the managed HSM pool. |
Private endpoint connections operations
| Operation | Description |
|---|---|
| Get | Gets the specified private endpoint connection associated with the managed HSM Pool. |
| List By Resource | The List operation gets information about the private endpoint connections associated with the managed HSM Pool. |
| Put | Updates the specified private endpoint connection associated with the managed HSM Pool. |
| Delete | Deletes the specified private endpoint connection associated with the managed HSM Pool. |
HSM Security Domain operations
| Operation | Description |
|---|---|
| Download | Retrieves the Security Domain from the managed HSM. Calling this endpoint can be used to activate a provisioned managed HSM resource. |
| Download Pending | Retrieves the Security Domain download operation status. |
| Upload | Restore the provided Security Domain. |
| Upload Pending | Get Security Domain upload operation status. |
Managed HSM Settings operations
| Operation | Description |
|---|---|
| Get Setting | Get specified account setting object. Retrieves the setting object of a specified setting name. |
| Get Settings | List account settings. Retrieves a list of all the available account settings that can be configured. |
| Update Setting | Updates key vault account setting, stores it, then returns the setting name and value to the client. Description of the pool setting to be updated |
Role-based access control operations
Role assignment operations
| Operation | Description |
|---|---|
| Get | Get the specified role assignment. |
| List | Gets role assignments for a scope. |
| Create | Creates a role assignment. |
| Delete | Deletes a role assignment. |
Role definition operations
| Operation | Description |
|---|---|
| Get | Get the specified role definition. |
| List | Get all role definitions that are applicable at scope and above. |
| Create Or Update | Creates or updates a custom role definition. |
| Delete | Deletes a custom role definition. |
Backup/restore operations
| Operation | Description |
|---|---|
| Full Backup | Creates a full backup using a user-provided SAS token to an Azure blob storage container. This operation is supported only by the Managed HSM service. |
| Backup Status | Returns the status of full backup operation. |
| Full Restore | Restores all key materials using the SAS token pointing to a previously stored Azure Blob storage backup folder. |
| Selective Restore | Restores all key versions of a given key using user supplied SAS token pointing to a previously stored Azure Blob storage backup folder. |
| Restore Status | Returns the status of restore operation. |
Key operations (Key Vault/Managed HSM)
| Operation | Description |
|---|---|
| Get Key | Gets the public part of a stored key. |
| Get Keys | List keys in the specified vault. |
| Get Key Versions | Retrieves a list of individual key versions with the same key name. |
| Create Key | Creates a new key, stores it, then returns key parameters and attributes to the client. |
| Import Key | Imports an externally created key, stores it, and returns key parameters and attributes to the client. |
| Update Key | The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault. |
| Delete Key | Deletes a key of any type from storage in Azure Key Vault. |
| Get Deleted Key | Gets the public part of a deleted key. |
| Get Deleted Keys | Lists the deleted keys in the specified vault. |
| Purge Deleted Key | Permanently deletes the specified key. |
| Recover Deleted Key | Recovers the deleted key to its latest version. |
| Backup Key | Requests that a backup of the specified key be downloaded to the client. |
| Restore Key | Restores a backed up key to a vault. |
| Release Key | Releases a key. The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission. |
| Rotate Key | Creates a new key version, stores it, then returns key parameters, attributes and policy to the client. The operation will rotate the key based on the key policy. It requires the keys/rotate permission. |
| Get Key Rotation Policy | Lists the policy for a key. The GetKeyRotationPolicy operation returns the specified key policy resources in the specified key vault. This operation requires the keys/get permission. |
| Update Key Rotation Policy | Updates the rotation policy for a key. Set specified members in the key policy. Leave others as undefined. This operation requires the keys/update permission. |
Key operations (Managed HSM only)
| Operation | Description |
|---|---|
| Get Random Bytes | Get the requested number of bytes containing random values from a managed HSM. |
Cryptographic operations (Key Vault/Managed HSM)
| Operation | Description |
|---|---|
| Decrypt | Decrypts a single block of encrypted data. |
| Encrypt | Encrypts an arbitrary sequence of bytes using an encryption key that is stored in a key vault. |
| Wrap Key | Wraps a symmetric key using a specified key. |
| Unwrap Key | Unwraps a symmetric key using the specified key that was initially used for wrapping that key. |
| Sign | Creates a signature from a digest using the specified key. |
| Verify | Verifies a signature using a specified key. |
Secret operations (Key Vault only)
| Operation | Description |
|---|---|
| Get Secret | Get a specified secret from a given key vault. |
| Get Secrets | List secrets in a specified key vault. |
| Get Secret Versions | List all versions of the specified secret. |
| Set Secret | Sets a secret in a specified key vault. |
| Update Secret | Updates the attributes associated with a specified secret in a given key vault. |
| Delete Secret | Deletes a secret from a specified key vault. |
| Get Deleted Secret | Gets the specified deleted secret. |
| Get Deleted Secrets | Lists deleted secrets for the specified vault. |
| Purge Deleted Secret | Permanently deletes the specified secret. |
| Recover Deleted Secret | Recovers the deleted secret to the latest version. |
| Backup Secret | Backs up the specified secret. |
| Restore Secret | Restores a backed up secret to a vault. |
Storage account key management operations (Key Vault only)
Storage Account configuration operations
| Operation | Description |
|---|---|
| Get Storage Account | Gets information about a specified storage account. This operation requires the storage/get permission. |
| Get Storage Accounts | List storage accounts managed by the specified key vault. This operation requires the storage/list permission. |
| Update Storage Account | Updates the specified attributes associated with the given storage account. This operation requires the storage/set/update permission. |
| Set Storage Account | Creates or updates a new storage account. This operation requires the storage/set permission. |
| Delete Storage Account | Deletes a storage account. This operation requires the storage/delete permission. |
| Get Deleted Storage Account | Gets the specified deleted storage account. |
| Get Deleted Storage Accounts | Lists deleted storage accounts for the specified vault. |
| Purge Deleted Storage Account | Permanently deletes the specified storage account. |
| Recover Deleted Storage Account | Recovers the deleted storage account. |
| Backup Storage Account | Backs up the specified storage account. |
| Restore Storage Account | Restores a backed-up storage account to a vault. |
Storage Account key operations
| Operation | Description |
|---|---|
| Regenerate Storage Account Key | Regenerates the specified key value for the given storage account. This operation requires the storage/regeneratekey permission. |
Storage Account SAS operations
| Operation | Description |
|---|---|
| Get Sas Definition | Gets information about a SAS definition for the specified storage account. This operation requires the storage/getsas permission. |
| Get Sas Definitions | List storage SAS definitions for the given storage account. This operation requires the storage/listsas permission. |
| Set Sas Definition | Creates or updates a new SAS definition for the specified storage account. This operation requires the storage/setsas permission. |
| Update Sas Definition | Updates the specified attributes associated with the given SAS definition. This operation requires the storage/setsas permission. |
| Delete Sas Definition | Deletes a SAS definition from a specified storage account. This operation requires the storage/deletesas permission. |
| Get Deleted Sas Definition | Gets the specified deleted sas definition. |
| Get Deleted Sas Definitions | Lists deleted SAS definitions for the specified vault and storage account. |
| Recover Deleted Sas Definition | Recovers the deleted SAS definition. |
Certificate operations (Key Vault only)
| Operation | Description |
|---|---|
| Get Certificate | Gets information about a certificate. |
| Get Certificates | List certificates in a specified key vault |
| Get Certificate Versions | List the versions of a certificate. |
| Create Certificate | Creates a new certificate. |
| Import Certificate | Imports a certificate into a specified key vault. |
| Merge Certificate | Merges a certificate or a certificate chain with a key pair existing on the server. |
| Get Certificate Operation | Gets the creation operation of a certificate. |
| Update Certificate Operation | Updates a certificate operation. |
| Delete Certificate Operation | Deletes the creation operation for a specific certificate. |
| Update Certificate | Updates the specified attributes associated with the given certificate. |
| Delete Certificate | Deletes a certificate from a specified key vault. |
| Get Deleted Certificate | Retrieves information about the specified deleted certificate. |
| Get Deleted Certificates | Lists the deleted certificates in the specified vault currently available for recovery. |
| Purge Deleted Certificate | Permanently deletes the specified deleted certificate. |
| Recover Deleted Certificate | Recovers the deleted certificate back to its current version under /certificates. |
| Backup Certificate | Backs up the specified certificate. |
| Restore Certificate | Restores a backed-up certificate to a vault. |
Certificate policy operations
| Operation | Description |
|---|---|
| Get Certificate Policy | Lists the policy for a certificate. |
| Update Certificate Policy | Updates the policy for a certificate. |
Certificate contacts operations
| Operation | Description |
|---|---|
| Get Certificate Contacts | Lists the certificate contacts for a specified key vault. |
| Set Certificate Contacts | Sets the certificate contacts for the specified key vault. |
| Delete Certificate Contacts | Deletes the certificate contacts for a specified key vault. |
Certificate issuer operations
| Operation | Description |
|---|---|
| Get Certificate Issuer | Lists the specified certificate issuer. |
| Get Certificate Issuers | List certificate issuers for a specified key vault. |
| Set Certificate Issuer | Sets the specified certificate issuer. |
| Update Certificate Issuer | Updates the specified certificate issuer. |
| Delete Certificate Issuer | Deletes the specified certificate issuer. |
See also
- For concepts and detailed information about Key Vault, see About Azure Key Vault.
- For concepts and detailed information about Managed HSM, see What is Azure Key Vault Managed HSM?
- For concepts and detailed information about data plane objects, see About keys, secrets, and certificates.
- For general information on constructing Azure REST API requests, see the Azure REST API reference
- For information specific to constructing Key Vault REST API requests, see
- See the following topics for additional Key Vault concepts and details