Skip to content

azurermKeyVaultAccessPolicy

Manages a Key Vault Access Policy.

\~> NOTE: It's possible to define Key Vault Access Policies both within the azurermKeyVault resource via the accessPolicy block and by using the azurermKeyVaultAccessPolicy resource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts.

-> NOTE: Azure permits a maximum of 1024 Access Policies per Key Vault - more information can be found in this document.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
import * as azuread from "./.gen/providers/azuread";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm, azuread.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const dataAzureadServicePrincipalExample =
  new azuread.dataAzureadServicePrincipal.DataAzureadServicePrincipal(
    this,
    "example_1",
    {
      display_name: "example-app",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzureadServicePrincipalExample.overrideLogicalId("example");
const dataAzurermClientConfigCurrent =
  new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
    this,
    "current",
    {}
  );
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
  this,
  "example_3",
  {
    location: azurermResourceGroupExample.location,
    name: "examplekeyvault",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "premium",
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyExample =
  new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "example_4", {
    key_permissions: ["Get"],
    key_vault_id: azurermKeyVaultExample.id,
    object_id: dataAzurermClientConfigCurrent.objectId,
    secret_permissions: ["Get"],
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultAccessPolicyExample.overrideLogicalId("example");
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(
  this,
  "example-principal",
  {
    key_permissions: ["Get", "List", "Encrypt", "Decrypt"],
    key_vault_id: azurermKeyVaultExample.id,
    object_id: dataAzureadServicePrincipalExample.objectId,
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  }
);

Argument Reference

The following arguments are supported:

  • keyVaultId - (Required) Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

  • tenantId - (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

  • objectId - (Required) The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID of a service principal can be fetched from azureadServicePrincipalObjectId. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

  • applicationId - (Optional) The object ID of an Application in Azure Active Directory. Changing this forces a new resource to be created.

  • certificatePermissions - (Optional) List of certificate permissions, must be one or more from the following: backup, create, delete, deleteIssuers, get, getIssuers, import, list, listIssuers, manageContacts, manageIssuers, purge, recover, restore, setIssuers and update.

  • keyPermissions - (Optional) List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify, wrapKey, release, rotate, getRotationPolicy, and setRotationPolicy.

  • secretPermissions - (Optional) List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set.

  • storagePermissions - (Optional) List of storage permissions, must be one or more from the following: backup, delete, deleteSas, get, getSas, list, listSas, purge, recover, regenerateKey, restore, set, setSas and update.

Attributes Reference

The following attributes are exported:

  • id - Key Vault Access Policy ID.

-> NOTE: This Identifier is unique to Terraform and doesn't map to an existing object within Azure.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Key Vault Access Policy.
  • update - (Defaults to 30 minutes) Used when updating the Key Vault Access Policy.
  • read - (Defaults to 5 minutes) Used when retrieving the Key Vault Access Policy.
  • delete - (Defaults to 30 minutes) Used when deleting the Key Vault Access Policy.

Import

Key Vault Access Policies can be imported using the Resource ID of the Key Vault, plus some additional metadata.

If both an objectId and applicationId are specified, then the Access Policy can be imported using the following code:

terraform import azurerm_key_vault_access_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111/applicationId/22222222-2222-2222-2222-222222222222

where 11111111111111111111111111111111 is the objectId and 22222222222222222222222222222222 is the applicationId.

Access Policies with an objectId but no applicationId can be imported using the following command:

terraform import azurerm_key_vault_access_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111

where 11111111111111111111111111111111 is the objectId.

-> NOTE: Both Identifiers are unique to Terraform and don't map to an existing object within Azure.