Vaults - Create Or Update

Create or update a key vault in the specified subscription.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}?api-version=2022-07-01

URI Parameters

Name In Required Type Description
resourceGroupName
path True

string

The name of the Resource Group to which the server belongs.

subscriptionId
path True

string

Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.

vaultName
path True

string

Name of the vault

Regex pattern: ^[a-zA-Z0-9-]{3,24}$

api-version
query True

string

Client Api Version.

Request Body

Name Required Type Description
location True

string

The supported Azure location where the key vault should be created.

properties True

VaultProperties

Properties of the vault

tags

object

The tags that will be assigned to the key vault.

Responses

Name Type Description
200 OK

Vault

Created or updated vault

201 Created

Vault

Created or updated vault

Other Status Codes

CloudError

Error response describing why the operation failed.

Examples

Create a new vault or update an existing vault
Create or update a vault with network acls

Create a new vault or update an existing vault

Sample request

PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-resource-group/providers/Microsoft.KeyVault/vaults/sample-vault?api-version=2022-07-01

{
  "location": "westus",
  "properties": {
    "tenantId": "00000000-0000-0000-0000-000000000000",
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt",
            "decrypt",
            "wrapKey",
            "unwrapKey",
            "sign",
            "verify",
            "get",
            "list",
            "create",
            "update",
            "import",
            "delete",
            "backup",
            "restore",
            "recover",
            "purge"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover",
            "purge"
          ],
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover",
            "purge"
          ]
        }
      }
    ],
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true,
    "publicNetworkAccess": "Enabled"
  }
}

Sample response

{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-resource-group/providers/Microsoft.KeyVault/vaults/sample-vault",
  "name": "sample-vault",
  "type": "Microsoft.KeyVault/vaults",
  "location": "westus",
  "tags": {},
  "systemData": {
    "createdBy": "keyVaultUser1",
    "createdByType": "User",
    "createdAt": "2020-01-01T12:00:00.0000000Z",
    "lastModifiedBy": "keyVaultUser2",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2020-01-01T12:00:00.0000000Z"
  },
  "properties": {
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "tenantId": "00000000-0000-0000-0000-000000000000",
    "networkAcls": {
      "bypass": "AzureServices",
      "defaultAction": "Deny",
      "ipRules": [
        {
          "value": ""
        }
      ],
      "virtualNetworkRules": [
        {
          "id": "",
          "ignoreMissingVnetServiceEndpoint": false
        }
      ]
    },
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt",
            "decrypt",
            "wrapKey",
            "unwrapKey",
            "sign",
            "verify",
            "get",
            "list",
            "create",
            "update",
            "import",
            "delete",
            "backup",
            "restore",
            "recover",
            "purge"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover",
            "purge"
          ],
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover",
            "purge"
          ]
        }
      }
    ],
    "privateEndpointConnections": [
      {
        "id": "",
        "etag": "",
        "properties": {
          "provisioningState": "Succeeded",
          "privateEndpoint": {
            "id": ""
          },
          "privateLinkServiceConnectionState": {
            "status": "Approved",
            "actionsRequired": "None"
          }
        }
      }
    ],
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true,
    "hsmPoolResourceId": "00000000-0000-0000-0000-000000000000",
    "vaultUri": "https://sample-vault.vault.azure.net",
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Enabled"
  }
}
{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-resource-group/providers/Microsoft.KeyVault/vaults/sample-vault",
  "name": "sample-vault",
  "type": "Microsoft.KeyVault/vaults",
  "location": "westus",
  "tags": {},
  "systemData": {
    "createdBy": "keyVaultUser1",
    "createdByType": "User",
    "createdAt": "2020-01-01T12:00:00.0000000Z",
    "lastModifiedBy": "keyVaultUser2",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2020-01-01T12:00:00.0000000Z"
  },
  "properties": {
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "tenantId": "00000000-0000-0000-0000-000000000000",
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt",
            "decrypt",
            "wrapKey",
            "unwrapKey",
            "sign",
            "verify",
            "get",
            "list",
            "create",
            "update",
            "import",
            "delete",
            "backup",
            "restore",
            "recover",
            "purge"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover",
            "purge"
          ],
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover",
            "purge"
          ]
        }
      }
    ],
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true,
    "hsmPoolResourceId": "00000000-0000-0000-0000-000000000000",
    "vaultUri": "https://sample-vault.vault.azure.net",
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Enabled"
  }
}

Create or update a vault with network acls

Sample request

PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-resource-group/providers/Microsoft.KeyVault/vaults/sample-vault?api-version=2022-07-01

{
  "location": "westus",
  "properties": {
    "tenantId": "00000000-0000-0000-0000-000000000000",
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices",
      "ipRules": [
        {
          "value": "124.56.78.91"
        },
        {
          "value": "'10.91.4.0/24'"
        }
      ],
      "virtualNetworkRules": [
        {
          "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1"
        }
      ]
    },
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true
  }
}

Sample response

{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-resource-group/providers/Microsoft.KeyVault/vaults/sample-vault",
  "name": "sample-vault",
  "type": "Microsoft.KeyVault/vaults",
  "location": "westus",
  "tags": {},
  "systemData": {
    "createdBy": "keyVaultUser1",
    "createdByType": "User",
    "createdAt": "2020-01-01T12:00:00.0000000Z",
    "lastModifiedBy": "keyVaultUser2",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2020-01-01T12:00:00.0000000Z"
  },
  "properties": {
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "tenantId": "00000000-0000-0000-0000-000000000000",
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices",
      "ipRules": [
        {
          "value": "124.56.78.91/32"
        },
        {
          "value": "'10.91.4.0/24'"
        }
      ],
      "virtualNetworkRules": [
        {
          "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.network/virtualnetworks/test-vnet/subnets/subnet1"
        }
      ]
    },
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true,
    "hsmPoolResourceId": "00000000-0000-0000-0000-000000000000",
    "vaultUri": "https://sample-vault.vault.azure.net"
  }
}
{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-resource-group/providers/Microsoft.KeyVault/vaults/sample-vault",
  "name": "sample-vault",
  "type": "Microsoft.KeyVault/vaults",
  "location": "westus",
  "tags": {},
  "systemData": {
    "createdBy": "keyVaultUser1",
    "createdByType": "User",
    "createdAt": "2020-01-01T12:00:00.0000000Z",
    "lastModifiedBy": "keyVaultUser2",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2020-01-01T12:00:00.0000000Z"
  },
  "properties": {
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "tenantId": "00000000-0000-0000-0000-000000000000",
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices",
      "ipRules": [
        {
          "value": "124.56.78.91/32"
        },
        {
          "value": "'10.91.4.0/24'"
        }
      ],
      "virtualNetworkRules": [
        {
          "id": "/subscriptions/subid/resourcegroups/rg1/providers/microsoft.network/virtualnetworks/test-vnet/subnets/subnet1"
        }
      ]
    },
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true,
    "hsmPoolResourceId": "00000000-0000-0000-0000-000000000000",
    "vaultUri": "https://sample-vault.vault.azure.net"
  }
}

Definitions

Name Description
AccessPolicyEntry

An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.

ActionsRequired

A message indicating if changes on the service provider require any updates on the consumer.

CertificatePermissions

Permissions to certificates

CloudError

An error response from Key Vault resource provider

CloudErrorBody

An error response from Key Vault resource provider

CreateMode

The vault's create mode to indicate whether the vault need to be recovered or not.

identityType

The type of identity that created the key vault resource.

IPRule

A rule governing the accessibility of a vault from a specific ip address or ip range.

KeyPermissions

Permissions to keys

NetworkRuleAction

The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated.

NetworkRuleBypassOptions

Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'.

NetworkRuleSet

A set of rules governing the network accessibility of a vault.

Permissions

Permissions the identity has for keys, secrets, certificates and storage.

PrivateEndpoint

Private endpoint object properties.

PrivateEndpointConnectionItem

Private endpoint connection item.

PrivateEndpointConnectionProvisioningState

The current provisioning state.

PrivateEndpointServiceConnectionStatus

The private endpoint connection status.

PrivateLinkServiceConnectionState

An object that represents the approval state of the private link connection.

SecretPermissions

Permissions to secrets

Sku

SKU details

SkuFamily

SKU family name

SkuName

SKU name to specify whether the key vault is a standard vault or a premium vault.

StoragePermissions

Permissions to storage accounts

SystemData

Metadata pertaining to creation and last modification of the key vault resource.

Vault

Resource information with extended details.

VaultCreateOrUpdateParameters

Parameters for creating or updating a vault

VaultProperties

Properties of the vault

VaultProvisioningState

Provisioning state of the vault.

VirtualNetworkRule

A rule governing the accessibility of a vault from a specific virtual network.

AccessPolicyEntry

An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.

Name Type Description
applicationId

string

Application ID of the client making request on behalf of a principal

objectId

string

The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.

permissions

Permissions

Permissions the identity has for keys, secrets and certificates.

tenantId

string

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

ActionsRequired

A message indicating if changes on the service provider require any updates on the consumer.

Name Type Description
None

string

CertificatePermissions

Permissions to certificates

Name Type Description
all

string

backup

string

create

string

delete

string

deleteissuers

string

get

string

getissuers

string

import

string

list

string

listissuers

string

managecontacts

string

manageissuers

string

purge

string

recover

string

restore

string

setissuers

string

update

string

CloudError

An error response from Key Vault resource provider

Name Type Description
error

CloudErrorBody

An error response from Key Vault resource provider

CloudErrorBody

An error response from Key Vault resource provider

Name Type Description
code

string

Error code. This is a mnemonic that can be consumed programmatically.

message

string

User friendly error message. The message is typically localized and may vary with service version.

CreateMode

The vault's create mode to indicate whether the vault need to be recovered or not.

Name Type Description
default

string

recover

string

identityType

The type of identity that created the key vault resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

IPRule

A rule governing the accessibility of a vault from a specific ip address or ip range.

Name Type Description
value

string

An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78).

KeyPermissions

Permissions to keys

Name Type Description
all

string

backup

string

create

string

decrypt

string

delete

string

encrypt

string

get

string

getrotationpolicy

string

import

string

list

string

purge

string

recover

string

release

string

restore

string

rotate

string

setrotationpolicy

string

sign

string

unwrapKey

string

update

string

verify

string

wrapKey

string

NetworkRuleAction

The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated.

Name Type Description
Allow

string

Deny

string

NetworkRuleBypassOptions

Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'.

Name Type Description
AzureServices

string

None

string

NetworkRuleSet

A set of rules governing the network accessibility of a vault.

Name Type Description
bypass

NetworkRuleBypassOptions

Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'.

defaultAction

NetworkRuleAction

The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated.

ipRules

IPRule[]

The list of IP address rules.

virtualNetworkRules

VirtualNetworkRule[]

The list of virtual network rules.

Permissions

Permissions the identity has for keys, secrets, certificates and storage.

Name Type Description
certificates

CertificatePermissions[]

Permissions to certificates

keys

KeyPermissions[]

Permissions to keys

secrets

SecretPermissions[]

Permissions to secrets

storage

StoragePermissions[]

Permissions to storage accounts

PrivateEndpoint

Private endpoint object properties.

Name Type Description
id

string

Full identifier of the private endpoint resource.

PrivateEndpointConnectionItem

Private endpoint connection item.

Name Type Description
etag

string

Modified whenever there is a change in the state of private endpoint connection.

id

string

Id of private endpoint connection.

properties.privateEndpoint

PrivateEndpoint

Properties of the private endpoint object.

properties.privateLinkServiceConnectionState

PrivateLinkServiceConnectionState

Approval state of the private link connection.

properties.provisioningState

PrivateEndpointConnectionProvisioningState

Provisioning state of the private endpoint connection.

PrivateEndpointConnectionProvisioningState

The current provisioning state.

Name Type Description
Creating

string

Deleting

string

Disconnected

string

Failed

string

Succeeded

string

Updating

string

PrivateEndpointServiceConnectionStatus

The private endpoint connection status.

Name Type Description
Approved

string

Disconnected

string

Pending

string

Rejected

string

PrivateLinkServiceConnectionState

An object that represents the approval state of the private link connection.

Name Type Description
actionsRequired

ActionsRequired

A message indicating if changes on the service provider require any updates on the consumer.

description

string

The reason for approval or rejection.

status

PrivateEndpointServiceConnectionStatus

Indicates whether the connection has been approved, rejected or removed by the key vault owner.

SecretPermissions

Permissions to secrets

Name Type Description
all

string

backup

string

delete

string

get

string

list

string

purge

string

recover

string

restore

string

set

string

Sku

SKU details

Name Type Description
family

SkuFamily

SKU family name

name

SkuName

SKU name to specify whether the key vault is a standard vault or a premium vault.

SkuFamily

SKU family name

Name Type Description
A

string

SkuName

SKU name to specify whether the key vault is a standard vault or a premium vault.

Name Type Description
premium

string

standard

string

StoragePermissions

Permissions to storage accounts

Name Type Description
all

string

backup

string

delete

string

deletesas

string

get

string

getsas

string

list

string

listsas

string

purge

string

recover

string

regeneratekey

string

restore

string

set

string

setsas

string

update

string

SystemData

Metadata pertaining to creation and last modification of the key vault resource.

Name Type Description
createdAt

string

The timestamp of the key vault resource creation (UTC).

createdBy

string

The identity that created the key vault resource.

createdByType

identityType

The type of identity that created the key vault resource.

lastModifiedAt

string

The timestamp of the key vault resource last modification (UTC).

lastModifiedBy

string

The identity that last modified the key vault resource.

lastModifiedByType

identityType

The type of identity that last modified the key vault resource.

Vault

Resource information with extended details.

Name Type Description
id

string

Fully qualified identifier of the key vault resource.

location

string

Azure location of the key vault resource.

name

string

Name of the key vault resource.

properties

VaultProperties

Properties of the vault

systemData

SystemData

System metadata for the key vault.

tags

object

Tags assigned to the key vault resource.

type

string

Resource type of the key vault resource.

VaultCreateOrUpdateParameters

Parameters for creating or updating a vault

Name Type Description
location

string

The supported Azure location where the key vault should be created.

properties

VaultProperties

Properties of the vault

tags

object

The tags that will be assigned to the key vault.

VaultProperties

Properties of the vault

Name Type Default value Description
accessPolicies

AccessPolicyEntry[]

An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required.

createMode

CreateMode

The vault's create mode to indicate whether the vault need to be recovered or not.

enablePurgeProtection

boolean

Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value.

enableRbacAuthorization

boolean

False

Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.

enableSoftDelete

boolean

True

Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false.

enabledForDeployment

boolean

Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.

enabledForDiskEncryption

boolean

Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.

enabledForTemplateDeployment

boolean

Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.

hsmPoolResourceId

string

The resource id of HSM Pool.

networkAcls

NetworkRuleSet

Rules governing the accessibility of the key vault from specific network locations.

privateEndpointConnections

PrivateEndpointConnectionItem[]

List of private endpoint connections associated with the key vault.

provisioningState

VaultProvisioningState

Provisioning state of the vault.

publicNetworkAccess

string

enabled

Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules.

sku

Sku

SKU details

softDeleteRetentionInDays

integer

90

softDelete data retention days. It accepts >=7 and <=90.

tenantId

string

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

vaultUri

string

The URI of the vault for performing operations on keys and secrets.

VaultProvisioningState

Provisioning state of the vault.

Name Type Description
RegisteringDns

string

Succeeded

string

VirtualNetworkRule

A rule governing the accessibility of a vault from a specific virtual network.

Name Type Description
id

string

Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'.

ignoreMissingVnetServiceEndpoint

boolean

Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured.