{ "swagger": "2.0", "info": { "version": "2023-07-01", "title": "KeyVaultManagementClient", "description": "The Azure management API provides a RESTful set of web services that interact with Azure Key Vault." }, "host": "management.azure.com", "schemes": [ "https" ], "paths": { "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}": { "put": { "tags": [ "Vaults" ], "operationId": "Vaults_CreateOrUpdate", "x-ms-long-running-operation": true, "description": "Create or update a key vault in the specified subscription.", "parameters": [ { "name": "resourceGroupName", "in": "path", "required": true, "type": "string", "description": "The name of the Resource Group to which the server belongs." }, { "name": "vaultName", "in": "path", "required": true, "type": "string", "pattern": "^[a-zA-Z0-9-]{3,24}$", "description": "Name of the vault" }, { "$ref": "#/parameters/ApiVersionParameter" }, { "name": "parameters", "in": "body", "required": true, "schema": { "$ref": "#/definitions/VaultCreateOrUpdateParameters" }, "description": "Parameters to create or update the vault" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "201": { "description": "Created or updated vault", "schema": { "$ref": "#/definitions/Vault" } }, "200": { "description": "Created or updated vault", "schema": { "$ref": "#/definitions/Vault" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-examples": { "Create a new vault or update an existing vault": { "$ref": "./examples/createVault.json" }, "Create or update a vault with network acls": { "$ref": "./examples/createVaultWithNetworkAcls.json" } }, "produces": [ "application/json" ], "consumes": [ "application/json" ] }, "patch": { "tags": [ "Vaults" ], "operationId": "Vaults_Update", "description": "Update a key vault in the specified subscription.", "parameters": [ { "name": "resourceGroupName", "in": "path", "required": true, "type": "string", "description": "The name of the Resource Group to which the server belongs." }, { "name": "vaultName", "in": "path", "required": true, "type": "string", "pattern": "^[a-zA-Z0-9-]{3,24}$", "description": "Name of the vault" }, { "$ref": "#/parameters/ApiVersionParameter" }, { "name": "parameters", "in": "body", "required": true, "schema": { "$ref": "#/definitions/VaultPatchParameters" }, "description": "Parameters to patch the vault" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "201": { "description": "Patched vault", "schema": { "$ref": "#/definitions/Vault" } }, "200": { "description": "Patched vault", "schema": { "$ref": "#/definitions/Vault" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-examples": { "Update an existing vault": { "$ref": "./examples/updateVault.json" } }, "produces": [ "application/json" ], "consumes": [ "application/json" ] }, "delete": { "tags": [ "Vaults" ], "operationId": "Vaults_Delete", "description": "Deletes the specified Azure key vault.", "parameters": [ { "name": "resourceGroupName", "in": "path", "required": true, "type": "string", "description": "The name of the Resource Group to which the vault belongs." }, { "name": "vaultName", "in": "path", "required": true, "type": "string", "description": "The name of the vault to delete" }, { "$ref": "#/parameters/ApiVersionParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "OK Response." }, "204": { "description": "No Content." }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-examples": { "Delete a vault": { "$ref": "./examples/deleteVault.json" } }, "produces": [ "application/json" ], "consumes": [ "application/json" ] }, "get": { "tags": [ "Vaults" ], "operationId": "Vaults_Get", "description": "Gets the specified Azure key vault.", "parameters": [ { "name": "resourceGroupName", "in": "path", "required": true, "type": "string", "description": "The name of the Resource Group to which the vault belongs." }, { "name": "vaultName", "in": "path", "required": true, "type": "string", "description": "The name of the vault." }, { "$ref": "#/parameters/ApiVersionParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "Retrieved vault", "schema": { "$ref": "#/definitions/Vault" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-examples": { "Retrieve a vault": { "$ref": "./examples/getVault.json" } }, "produces": [ "application/json" ], "consumes": [ "application/json" ] } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicies/{operationKind}": { "put": { "tags": [ "Vaults" ], "operationId": "Vaults_UpdateAccessPolicy", "description": "Update access policies in a key vault in the specified subscription.", "parameters": [ { "name": "resourceGroupName", "in": "path", "required": true, "type": "string", "description": "The name of the Resource Group to which the vault belongs." }, { "name": "vaultName", "in": "path", "required": true, "type": "string", "pattern": "^[a-zA-Z0-9-]{3,24}$", "description": "Name of the vault" }, { "name": "operationKind", "in": "path", "required": true, "type": "string", "enum": [ "add", "replace", "remove" ], "x-ms-enum": { "name": "AccessPolicyUpdateKind", "modelAsString": false }, "description": "Name of the operation" }, { "$ref": "#/parameters/ApiVersionParameter" }, { "name": "parameters", "in": "body", "required": true, "schema": { "$ref": "#/definitions/VaultAccessPolicyParameters" }, "description": "Access policy to merge into the vault" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "201": { "description": "The updated access policies", "schema": { "$ref": "#/definitions/VaultAccessPolicyParameters" } }, "200": { "description": "The updated access policies", "schema": { "$ref": "#/definitions/VaultAccessPolicyParameters" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-examples": { "Add an access policy, or update an access policy with new permissions": { "$ref": "./examples/updateAccessPoliciesAdd.json" } }, "produces": [ "application/json" ], "consumes": [ "application/json" ] } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults": { "get": { "tags": [ "Vaults" ], "operationId": "Vaults_ListByResourceGroup", "description": "The List operation gets information about the vaults associated with the subscription and within the specified resource group.", "parameters": [ { "name": "resourceGroupName", "in": "path", "required": true, "type": "string", "description": "The name of the Resource Group to which the vault belongs." }, { "name": "$top", "in": "query", "type": "integer", "format": "int32", "description": "Maximum number of results to return." }, { "$ref": "#/parameters/ApiVersionParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "Get information about all key vaults in the specified resource group.", "schema": { "$ref": "#/definitions/VaultListResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" }, "x-ms-examples": { "List vaults in the specified resource group": { "$ref": "./examples/listVaultByResourceGroup.json" } }, "produces": [ "application/json" ], "consumes": [ "application/json" ] } }, "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/vaults": { "get": { "tags": [ "Vaults" ], "operationId": "Vaults_ListBySubscription", "description": "The List operation gets information about the vaults associated with the subscription.", "parameters": [ { "name": "$top", "in": "query", "type": "integer", "format": "int32", "description": "Maximum number of results to return." }, { "$ref": "#/parameters/ApiVersionParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "Get information about all key vaults in the specified subscription.", "schema": { "$ref": "#/definitions/VaultListResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" }, "x-ms-examples": { "List vaults in the specified subscription": { "$ref": "./examples/listVaultBySubscription.json" } }, "produces": [ "application/json" ], "consumes": [ "application/json" ] } }, "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/deletedVaults": { "get": { "tags": [ "Vaults" ], "operationId": "Vaults_ListDeleted", "description": "Gets information about the deleted vaults in a subscription.", "parameters": [ { "$ref": "#/parameters/ApiVersionParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "Retrieved information about all deleted key vaults in a subscription.", "schema": { "$ref": "#/definitions/DeletedVaultListResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" }, "x-ms-examples": { "List deleted vaults in the specified subscription": { "$ref": "./examples/listDeletedVaults.json" } }, "produces": [ "application/json" ], "consumes": [ "application/json" ] } }, "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/locations/{location}/deletedVaults/{vaultName}": { "get": { "tags": [ "Vaults" ], "operationId": "Vaults_GetDeleted", "description": "Gets the deleted Azure key vault.", "parameters": [ { "name": "vaultName", "in": "path", "required": true, "type": "string", "description": "The name of the vault." }, { "name": "location", "in": "path", "required": true, "type": "string", "description": "The location of the deleted vault." }, { "$ref": "#/parameters/ApiVersionParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "Retrieved information about the deleted vault.", "schema": { "$ref": "#/definitions/DeletedVault" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-examples": { "Retrieve a deleted vault": { "$ref": "./examples/getDeletedVault.json" } }, "produces": [ "application/json" ], "consumes": [ "application/json" ] } }, "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/locations/{location}/deletedVaults/{vaultName}/purge": { "post": { "tags": [ "Vaults" ], "operationId": "Vaults_PurgeDeleted", "x-ms-long-running-operation": true, "description": "Permanently deletes the specified vault. aka Purges the deleted Azure key vault.", "parameters": [ { "name": "vaultName", "in": "path", "required": true, "type": "string", "description": "The name of the soft-deleted vault." }, { "name": "location", "in": "path", "required": true, "type": "string", "description": "The location of the soft-deleted vault." }, { "$ref": "#/parameters/ApiVersionParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "The vault is purged." }, "202": { "description": "Vault is being purged." }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-examples": { "Purge a deleted vault": { "$ref": "./examples/purgeDeletedVault.json" } }, "produces": [ "application/json" ], "consumes": [ "application/json" ] } }, "/subscriptions/{subscriptionId}/resources": { "get": { "tags": [ "Vaults" ], "operationId": "Vaults_List", "description": "The List operation gets information about the vaults associated with the subscription.", "parameters": [ { "name": "$filter", "in": "query", "required": true, "type": "string", "enum": [ "resourceType eq 'Microsoft.KeyVault/vaults'" ], "x-ms-enum": { "name": "VaultListFilterTypes", "modelAsString": false }, "description": "The filter to apply on the operation." }, { "name": "$top", "in": "query", "type": "integer", "format": "int32", "description": "Maximum number of results to return." }, { "name": "api-version", "in": "query", "required": true, "x-ms-api-version": false, "type": "string", "enum": [ "2015-11-01" ], "x-ms-enum": { "name": "ResourceManagerApiVersions", "modelAsString": false }, "description": "Azure Resource Manager Api Version." }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "Get information about all key vaults in the subscription.", "schema": { "$ref": "#/definitions/ResourceListResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" }, "x-ms-examples": { "List vaults in the specified subscription": { "$ref": "./examples/listVault.json" } }, "produces": [ "application/json" ] } }, "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/checkNameAvailability": { "post": { "tags": [ "Vaults" ], "operationId": "Vaults_CheckNameAvailability", "description": "Checks that the vault name is valid and is not already in use.", "parameters": [ { "name": "vaultName", "in": "body", "required": true, "schema": { "$ref": "#/definitions/VaultCheckNameAvailabilityParameters" }, "description": "The name of the vault." }, { "$ref": "#/parameters/ApiVersionParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "OK -- Operation to check the vault name availability was successful.", "schema": { "$ref": "#/definitions/CheckNameAvailabilityResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-examples": { "Validate a vault name": { "$ref": "./examples/checkVaultNameAvailability.json" } }, "produces": [ "application/json" ], "consumes": [ "application/json" ] } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/privateEndpointConnections/{privateEndpointConnectionName}": { "get": { "tags": [ "PrivateEndpointConnections" ], "operationId": "PrivateEndpointConnections_Get", "description": "Gets the specified private endpoint connection associated with the key vault.", "x-ms-examples": { "KeyVaultGetPrivateEndpointConnection": { "$ref": "./examples/getPrivateEndpointConnection.json" } }, "parameters": [ { "$ref": "#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/VaultName" }, { "$ref": "#/parameters/PrivateEndpointConnectionName" }, { "$ref": "#/parameters/ApiVersionParameter" } ], "produces": [ "application/json" ], "responses": { "200": { "description": "Private endpoint connection successfully returned.", "schema": { "$ref": "#/definitions/PrivateEndpointConnection" } }, "204": { "description": "The private endpoint connection does not exist." }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } } }, "put": { "tags": [ "PrivateEndpointConnections" ], "operationId": "PrivateEndpointConnections_Put", "description": "Updates the specified private endpoint connection associated with the key vault.", "x-ms-examples": { "KeyVaultPutPrivateEndpointConnection": { "$ref": "./examples/putPrivateEndpointConnection.json" } }, "parameters": [ { "$ref": "#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/VaultName" }, { "$ref": "#/parameters/PrivateEndpointConnectionName" }, { "$ref": "#/parameters/ApiVersionParameter" }, { "name": "properties", "in": "body", "required": true, "schema": { "$ref": "#/definitions/PrivateEndpointConnection" }, "description": "The intended state of private endpoint connection." } ], "consumes": [ "application/json" ], "produces": [ "application/json" ], "responses": { "200": { "description": "The state of private endpoint connection was updated successfully.", "headers": { "Retry-After": { "description": "(specified only if operation does not finish synchronously) The recommended number of seconds to wait before calling the URI specified in Azure-AsyncOperation.", "type": "integer", "format": "int32" }, "Azure-AsyncOperation": { "description": "(specified only if operation does not finish synchronously) The URI to poll for completion status. The response of this URI may be synchronous or asynchronous.", "type": "string" } }, "schema": { "$ref": "#/definitions/PrivateEndpointConnection" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } } }, "delete": { "tags": [ "PrivateEndpointConnections" ], "operationId": "PrivateEndpointConnections_Delete", "description": "Deletes the specified private endpoint connection associated with the key vault.", "x-ms-examples": { "KeyVaultDeletePrivateEndpointConnection": { "$ref": "./examples/deletePrivateEndpointConnection.json" } }, "parameters": [ { "$ref": "#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/VaultName" }, { "$ref": "#/parameters/PrivateEndpointConnectionName" }, { "$ref": "#/parameters/ApiVersionParameter" } ], "produces": [ "application/json" ], "responses": { "200": { "description": "The private endpoint connection was successfully deleted.", "schema": { "$ref": "#/definitions/PrivateEndpointConnection" } }, "202": { "description": "The private endpoint connection is being deleted.", "headers": { "Retry-After": { "description": "The recommended number of seconds to wait before calling the URI specified in the location header.", "type": "integer", "format": "int32" }, "Location": { "description": "The URI to poll for completion status.", "type": "string" } } }, "204": { "description": "The private endpoint connection does not exist." }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-long-running-operation": true } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/privateEndpointConnections": { "get": { "tags": [ "PrivateEndpointConnections" ], "operationId": "PrivateEndpointConnections_ListByResource", "description": "The List operation gets information about the private endpoint connections associated with the vault.", "x-ms-examples": { "KeyVaultListPrivateEndpointConnection": { "$ref": "./examples/listPrivateEndpointConnection.json" } }, "parameters": [ { "$ref": "#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/VaultName" }, { "$ref": "#/parameters/ApiVersionParameter" } ], "produces": [ "application/json" ], "responses": { "200": { "description": "Get information about all private endpoint connections in the specified resource group.", "schema": { "$ref": "#/definitions/PrivateEndpointConnectionListResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/privateLinkResources": { "get": { "tags": [ "PrivateLinkResources" ], "operationId": "PrivateLinkResources_ListByVault", "description": "Gets the private link resources supported for the key vault.", "x-ms-examples": { "KeyVaultListPrivateLinkResources": { "$ref": "./examples/listPrivateLinkResources.json" } }, "parameters": [ { "$ref": "#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/VaultName" }, { "$ref": "#/parameters/ApiVersionParameter" } ], "produces": [ "application/json" ], "responses": { "200": { "description": "Successfully retrieved private link resources.", "schema": { "$ref": "#/definitions/PrivateLinkResourceListResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "common.json#/definitions/CloudError" } } } } } }, "definitions": { "Sku": { "properties": { "family": { "type": "string", "description": "SKU family name", "enum": [ "A" ], "x-ms-client-default": "A", "x-ms-enum": { "name": "SkuFamily", "modelAsString": true } }, "name": { "type": "string", "description": "SKU name to specify whether the key vault is a standard vault or a premium vault.", "enum": [ "standard", "premium" ], "x-ms-enum": { "name": "SkuName", "modelAsString": false } } }, "description": "SKU details", "required": [ "name", "family" ], "type": "object" }, "AccessPolicyEntry": { "properties": { "tenantId": { "type": "string", "format": "uuid", "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." }, "objectId": { "type": "string", "description": "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies." }, "applicationId": { "type": "string", "format": "uuid", "description": " Application ID of the client making request on behalf of a principal" }, "permissions": { "$ref": "#/definitions/Permissions", "description": "Permissions the identity has for keys, secrets and certificates." } }, "description": "An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID.", "required": [ "tenantId", "objectId", "permissions" ], "type": "object" }, "Permissions": { "properties": { "keys": { "type": "array", "items": { "type": "string", "enum": [ "all", "encrypt", "decrypt", "wrapKey", "unwrapKey", "sign", "verify", "get", "list", "create", "update", "import", "delete", "backup", "restore", "recover", "purge", "release", "rotate", "getrotationpolicy", "setrotationpolicy" ], "x-ms-enum": { "name": "KeyPermissions", "modelAsString": true } }, "description": "Permissions to keys" }, "secrets": { "type": "array", "items": { "type": "string", "enum": [ "all", "get", "list", "set", "delete", "backup", "restore", "recover", "purge" ], "x-ms-enum": { "name": "SecretPermissions", "modelAsString": true } }, "description": "Permissions to secrets" }, "certificates": { "type": "array", "items": { "type": "string", "enum": [ "all", "get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "recover", "purge", "backup", "restore" ], "x-ms-enum": { "name": "CertificatePermissions", "modelAsString": true } }, "description": "Permissions to certificates" }, "storage": { "type": "array", "items": { "type": "string", "enum": [ "all", "get", "list", "delete", "set", "update", "regeneratekey", "recover", "purge", "backup", "restore", "setsas", "listsas", "getsas", "deletesas" ], "x-ms-enum": { "name": "StoragePermissions", "modelAsString": true } }, "description": "Permissions to storage accounts" } }, "description": "Permissions the identity has for keys, secrets, certificates and storage.", "type": "object" }, "VaultProperties": { "properties": { "tenantId": { "type": "string", "format": "uuid", "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." }, "sku": { "$ref": "#/definitions/Sku", "description": "SKU details" }, "accessPolicies": { "type": "array", "items": { "$ref": "#/definitions/AccessPolicyEntry" }, "x-ms-identifiers": [ "tenantId", "objectId", "permissions" ], "description": "An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When `createMode` is set to `recover`, access policies are not required. Otherwise, access policies are required." }, "vaultUri": { "type": "string", "description": "The URI of the vault for performing operations on keys and secrets." }, "hsmPoolResourceId": { "type": "string", "description": "The resource id of HSM Pool.", "readOnly": true }, "enabledForDeployment": { "type": "boolean", "description": "Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." }, "enabledForDiskEncryption": { "type": "boolean", "description": "Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." }, "enabledForTemplateDeployment": { "type": "boolean", "description": "Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault." }, "enableSoftDelete": { "type": "boolean", "default": true, "description": "Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false." }, "softDeleteRetentionInDays": { "type": "integer", "format": "int32", "default": 90, "description": "softDelete data retention days. It accepts >=7 and <=90." }, "enableRbacAuthorization": { "type": "boolean", "default": false, "description": "Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC." }, "createMode": { "type": "string", "description": "The vault's create mode to indicate whether the vault need to be recovered or not.", "enum": [ "recover", "default" ], "x-ms-enum": { "name": "CreateMode", "modelAsString": false }, "x-ms-mutability": [ "create", "update" ] }, "enablePurgeProtection": { "type": "boolean", "description": "Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value." }, "networkAcls": { "$ref": "#/definitions/NetworkRuleSet", "description": "Rules governing the accessibility of the key vault from specific network locations." }, "provisioningState": { "type": "string", "description": "Provisioning state of the vault.", "enum": [ "Succeeded", "RegisteringDns" ], "x-ms-enum": { "name": "VaultProvisioningState", "modelAsString": true } }, "privateEndpointConnections": { "readOnly": true, "type": "array", "items": { "$ref": "#/definitions/PrivateEndpointConnectionItem" }, "description": "List of private endpoint connections associated with the key vault." }, "publicNetworkAccess": { "type": "string", "default": "enabled", "description": "Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules." } }, "required": [ "tenantId", "sku" ], "description": "Properties of the vault", "type": "object" }, "VaultPatchProperties": { "properties": { "tenantId": { "type": "string", "format": "uuid", "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." }, "sku": { "$ref": "#/definitions/Sku", "description": "SKU details" }, "accessPolicies": { "type": "array", "items": { "$ref": "#/definitions/AccessPolicyEntry" }, "x-ms-identifiers": [ "tenantId", "objectId", "permissions" ], "description": "An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." }, "enabledForDeployment": { "type": "boolean", "description": "Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." }, "enabledForDiskEncryption": { "type": "boolean", "description": "Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." }, "enabledForTemplateDeployment": { "type": "boolean", "description": "Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault." }, "enableSoftDelete": { "type": "boolean", "description": "Property to specify whether the 'soft delete' functionality is enabled for this key vault. Once set to true, it cannot be reverted to false." }, "enableRbacAuthorization": { "type": "boolean", "description": "Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the value of this property will not change." }, "softDeleteRetentionInDays": { "type": "integer", "format": "int32", "description": "softDelete data retention days. It accepts >=7 and <=90." }, "createMode": { "type": "string", "description": "The vault's create mode to indicate whether the vault need to be recovered or not.", "enum": [ "recover", "default" ], "x-ms-enum": { "name": "CreateMode", "modelAsString": false } }, "enablePurgeProtection": { "type": "boolean", "description": "Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value." }, "networkAcls": { "$ref": "#/definitions/NetworkRuleSet", "description": "A collection of rules governing the accessibility of the vault from specific network locations." }, "publicNetworkAccess": { "type": "string", "description": "Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules." } }, "description": "Properties of the vault", "type": "object" }, "VaultAccessPolicyProperties": { "properties": { "accessPolicies": { "type": "array", "items": { "$ref": "#/definitions/AccessPolicyEntry" }, "x-ms-identifiers": [ "tenantId", "objectId", "permissions" ], "description": "An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." } }, "required": [ "accessPolicies" ], "description": "Properties of the vault access policy", "type": "object" }, "DeletedVaultProperties": { "properties": { "vaultId": { "readOnly": true, "type": "string", "description": "The resource id of the original vault." }, "location": { "readOnly": true, "type": "string", "description": "The location of the original vault." }, "deletionDate": { "readOnly": true, "type": "string", "format": "date-time", "description": "The deleted date." }, "scheduledPurgeDate": { "readOnly": true, "type": "string", "format": "date-time", "description": "The scheduled purged date." }, "tags": { "readOnly": true, "type": "object", "additionalProperties": { "type": "string" }, "description": "Tags of the original vault." }, "purgeProtectionEnabled": { "readOnly": true, "type": "boolean", "description": "Purge protection status of the original vault." } }, "description": "Properties of the deleted vault.", "type": "object" }, "VaultCreateOrUpdateParameters": { "properties": { "location": { "type": "string", "description": "The supported Azure location where the key vault should be created." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "The tags that will be assigned to the key vault." }, "properties": { "$ref": "#/definitions/VaultProperties", "description": "Properties of the vault" } }, "description": "Parameters for creating or updating a vault", "required": [ "location", "properties" ], "x-ms-azure-resource": true, "type": "object" }, "VaultPatchParameters": { "properties": { "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "The tags that will be assigned to the key vault. " }, "properties": { "$ref": "#/definitions/VaultPatchProperties", "description": "Properties of the vault" } }, "description": "Parameters for creating or updating a vault", "x-ms-azure-resource": true, "type": "object" }, "VaultAccessPolicyParameters": { "properties": { "id": { "readOnly": true, "type": "string", "description": "The resource id of the access policy." }, "name": { "readOnly": true, "type": "string", "description": "The resource name of the access policy." }, "type": { "readOnly": true, "type": "string", "description": "The resource name of the access policy." }, "location": { "readOnly": true, "type": "string", "description": "The resource type of the access policy." }, "properties": { "$ref": "#/definitions/VaultAccessPolicyProperties", "description": "Properties of the access policy" } }, "description": "Parameters for updating the access policy in a vault", "required": [ "properties" ], "x-ms-azure-resource": true, "type": "object" }, "Vault": { "properties": { "id": { "readOnly": true, "type": "string", "description": "Fully qualified identifier of the key vault resource." }, "name": { "readOnly": true, "type": "string", "description": "Name of the key vault resource." }, "type": { "readOnly": true, "type": "string", "description": "Resource type of the key vault resource." }, "location": { "type": "string", "description": "Azure location of the key vault resource." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Tags assigned to the key vault resource." }, "systemData": { "description": "System metadata for the key vault.", "$ref": "common.json#/definitions/SystemData" }, "properties": { "$ref": "#/definitions/VaultProperties", "description": "Properties of the vault" } }, "required": [ "properties" ], "description": "Resource information with extended details.", "x-ms-azure-resource": true, "type": "object" }, "DeletedVault": { "properties": { "id": { "readOnly": true, "type": "string", "description": "The resource ID for the deleted key vault." }, "name": { "readOnly": true, "type": "string", "description": "The name of the key vault." }, "type": { "readOnly": true, "type": "string", "description": "The resource type of the key vault." }, "properties": { "$ref": "#/definitions/DeletedVaultProperties", "description": "Properties of the vault" } }, "description": "Deleted vault information with extended details.", "type": "object" }, "VaultListResult": { "properties": { "value": { "type": "array", "items": { "$ref": "#/definitions/Vault" }, "description": "The list of vaults." }, "nextLink": { "type": "string", "description": "The URL to get the next set of vaults." } }, "description": "List of vaults", "type": "object" }, "DeletedVaultListResult": { "properties": { "value": { "type": "array", "items": { "$ref": "#/definitions/DeletedVault" }, "description": "The list of deleted vaults." }, "nextLink": { "type": "string", "description": "The URL to get the next set of deleted vaults." } }, "description": "List of vaults", "type": "object" }, "ResourceListResult": { "properties": { "value": { "type": "array", "items": { "$ref": "#/definitions/Resource" }, "description": "The list of vault resources." }, "nextLink": { "type": "string", "description": "The URL to get the next set of vault resources." } }, "description": "List of vault resources.", "type": "object" }, "Resource": { "properties": { "id": { "readOnly": true, "type": "string", "description": "Fully qualified identifier of the key vault resource." }, "name": { "readOnly": true, "type": "string", "description": "Name of the key vault resource." }, "type": { "readOnly": true, "type": "string", "description": "Resource type of the key vault resource." }, "location": { "readOnly": true, "type": "string", "description": "Azure location of the key vault resource." }, "tags": { "readOnly": true, "type": "object", "additionalProperties": { "type": "string" }, "description": "Tags assigned to the key vault resource." } }, "description": "Key Vault resource", "x-ms-azure-resource": true, "type": "object" }, "VaultCheckNameAvailabilityParameters": { "properties": { "name": { "type": "string", "description": "The vault name." }, "type": { "type": "string", "enum": [ "Microsoft.KeyVault/vaults" ], "x-ms-enum": { "name": "Type", "modelAsString": false }, "description": "The type of resource, Microsoft.KeyVault/vaults" } }, "required": [ "name", "type" ], "description": "The parameters used to check the availability of the vault name.", "type": "object" }, "CheckNameAvailabilityResult": { "properties": { "nameAvailable": { "readOnly": true, "type": "boolean", "description": "A boolean value that indicates whether the name is available for you to use. If true, the name is available. If false, the name has already been taken or is invalid and cannot be used." }, "reason": { "readOnly": true, "type": "string", "description": "The reason that a vault name could not be used. The Reason element is only returned if NameAvailable is false.", "enum": [ "AccountNameInvalid", "AlreadyExists" ], "x-ms-enum": { "name": "Reason", "modelAsString": false } }, "message": { "readOnly": true, "type": "string", "description": "An error message explaining the Reason value in more detail." } }, "description": "The CheckNameAvailability operation response.", "type": "object" }, "NetworkRuleSet": { "properties": { "bypass": { "type": "string", "description": "Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'.", "enum": [ "AzureServices", "None" ], "x-ms-enum": { "name": "NetworkRuleBypassOptions", "modelAsString": true } }, "defaultAction": { "type": "string", "description": "The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated.", "enum": [ "Allow", "Deny" ], "x-ms-enum": { "name": "NetworkRuleAction", "modelAsString": true } }, "ipRules": { "type": "array", "items": { "$ref": "#/definitions/IPRule" }, "description": "The list of IP address rules." }, "virtualNetworkRules": { "type": "array", "items": { "$ref": "#/definitions/VirtualNetworkRule" }, "x-ms-identifiers": [ "id" ], "description": "The list of virtual network rules." } }, "description": "A set of rules governing the network accessibility of a vault.", "type": "object" }, "IPRule": { "properties": { "value": { "type": "string", "description": "An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78)." } }, "required": [ "value" ], "description": "A rule governing the accessibility of a vault from a specific ip address or ip range.", "type": "object" }, "VirtualNetworkRule": { "properties": { "id": { "type": "string", "description": "Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'." }, "ignoreMissingVnetServiceEndpoint": { "type": "boolean", "description": "Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured." } }, "required": [ "id" ], "description": "A rule governing the accessibility of a vault from a specific virtual network.", "type": "object" }, "PrivateEndpointConnectionItem": { "properties": { "id": { "type": "string", "description": "Id of private endpoint connection." }, "etag": { "type": "string", "description": "Modified whenever there is a change in the state of private endpoint connection." }, "properties": { "$ref": "#/definitions/PrivateEndpointConnectionProperties", "x-ms-client-flatten": true, "description": "Private endpoint connection properties." } }, "description": "Private endpoint connection item.", "type": "object" }, "PrivateEndpointConnection": { "properties": { "properties": { "$ref": "#/definitions/PrivateEndpointConnectionProperties", "x-ms-client-flatten": true, "description": "Resource properties." }, "etag": { "type": "string", "description": "Modified whenever there is a change in the state of private endpoint connection." } }, "allOf": [ { "$ref": "#/definitions/Resource" } ], "description": "Private endpoint connection resource.", "x-ms-azure-resource": true, "type": "object" }, "PrivateEndpointConnectionListResult": { "properties": { "value": { "type": "array", "items": { "$ref": "#/definitions/PrivateEndpointConnection" }, "description": "The list of private endpoint connections." }, "nextLink": { "type": "string", "description": "The URL to get the next set of private endpoint connections." } }, "description": "List of private endpoint connections.", "type": "object" }, "PrivateEndpointConnectionProperties": { "properties": { "privateEndpoint": { "$ref": "#/definitions/PrivateEndpoint", "description": "Properties of the private endpoint object." }, "privateLinkServiceConnectionState": { "$ref": "#/definitions/PrivateLinkServiceConnectionState", "description": "Approval state of the private link connection." }, "provisioningState": { "$ref": "#/definitions/PrivateEndpointConnectionProvisioningState", "description": "Provisioning state of the private endpoint connection." } }, "description": "Properties of the private endpoint connection resource.", "type": "object" }, "PrivateEndpoint": { "properties": { "id": { "readOnly": true, "type": "string", "description": "Full identifier of the private endpoint resource." } }, "description": "Private endpoint object properties.", "type": "object" }, "PrivateLinkServiceConnectionState": { "properties": { "status": { "$ref": "#/definitions/PrivateEndpointServiceConnectionStatus", "description": "Indicates whether the connection has been approved, rejected or removed by the key vault owner." }, "description": { "type": "string", "description": "The reason for approval or rejection." }, "actionsRequired": { "type": "string", "description": "A message indicating if changes on the service provider require any updates on the consumer.", "enum": [ "None" ], "x-ms-enum": { "name": "ActionsRequired", "modelAsString": true } } }, "description": "An object that represents the approval state of the private link connection.", "type": "object" }, "PrivateEndpointServiceConnectionStatus": { "type": "string", "description": "The private endpoint connection status.", "enum": [ "Pending", "Approved", "Rejected", "Disconnected" ], "x-ms-enum": { "name": "PrivateEndpointServiceConnectionStatus", "modelAsString": true } }, "PrivateEndpointConnectionProvisioningState": { "type": "string", "readOnly": true, "description": "The current provisioning state.", "enum": [ "Succeeded", "Creating", "Updating", "Deleting", "Failed", "Disconnected" ], "x-ms-enum": { "name": "PrivateEndpointConnectionProvisioningState", "modelAsString": true } }, "PrivateLinkResourceListResult": { "properties": { "value": { "type": "array", "description": "Array of private link resources", "items": { "$ref": "#/definitions/PrivateLinkResource" } } }, "description": "A list of private link resources", "type": "object" }, "PrivateLinkResource": { "properties": { "properties": { "$ref": "#/definitions/PrivateLinkResourceProperties", "description": "Resource properties.", "x-ms-client-flatten": true } }, "allOf": [ { "$ref": "#/definitions/Resource" } ], "description": "A private link resource", "type": "object" }, "PrivateLinkResourceProperties": { "properties": { "groupId": { "description": "Group identifier of private link resource.", "type": "string", "readOnly": true }, "requiredMembers": { "description": "Required member names of private link resource.", "type": "array", "items": { "type": "string" }, "readOnly": true }, "requiredZoneNames": { "type": "array", "items": { "type": "string" }, "description": "Required DNS zone names of the the private link resource." } }, "description": "Properties of a private link resource.", "type": "object" } }, "parameters": { "SubscriptionIdParameter": { "name": "subscriptionId", "in": "path", "required": true, "type": "string", "description": "Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call." }, "ResourceGroupName": { "name": "resourceGroupName", "in": "path", "required": true, "type": "string", "description": "Name of the resource group that contains the key vault.", "x-ms-parameter-location": "method" }, "VaultName": { "name": "vaultName", "in": "path", "required": true, "type": "string", "pattern": "^[a-zA-Z0-9-]{3,24}$", "description": "The name of the key vault.", "x-ms-parameter-location": "method" }, "PrivateEndpointConnectionName": { "name": "privateEndpointConnectionName", "in": "path", "required": true, "type": "string", "description": "Name of the private endpoint connection associated with the key vault.", "x-ms-parameter-location": "method" }, "ApiVersionParameter": { "name": "api-version", "in": "query", "required": true, "type": "string", "description": "Client Api Version." } }, "securityDefinitions": { "azure_auth": { "type": "oauth2", "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", "flow": "implicit", "description": "Azure Active Directory OAuth2 Flow", "scopes": { "user_impersonation": "impersonate your user account" } } } }