» Data Source: azurerm_key_vault_certificate

Use this data source to access information about an existing Key Vault Certificate.

» Example Usage

data "azurerm_key_vault" "example" {
  name                = "examplekv"
  resource_group_name = "some-resource-group"
}

data "azurerm_key_vault_certificate" "example" {
  name         = "secret-sauce"
  key_vault_id = data.azurerm_key_vault.example.id
}

output "certificate_thumbprint" {
  value = data.azurerm_key_vault_certificate.example.thumbprint
}

» Argument Reference

The following arguments are supported:

  • name - Specifies the name of the Key Vault Secret.

  • key_vault_id - Specifies the ID of the Key Vault instance where the Secret resides, available on the azurerm_key_vault Data Source / Resource.

  • version - (Optional) Specifies the version of the certificate to look up. (Defaults to latest)

NOTE: The vault must be in the same subscription as the provider. If the vault is in another subscription, you must create an aliased provider for that subscription.

» Attributes Reference

The following attributes are exported:

  • certificate_policy - A certificate_policy block as defined below.

  • tags - A mapping of tags to assign to the resource.


certificate_policy exports the following:


issuer_parameters exports the following:

  • name - The name of the Certificate Issuer.

key_properties exports the following:

  • exportable - Is this Certificate Exportable?
  • key_size - The size of the Key used in the Certificate.
  • key_type - Specifies the Type of Key, for example RSA.
  • reuse_key - Is the key reusable?

lifetime_action exports the following:

  • action - A action block as defined below.
  • trigger - A trigger block as defined below.

action exports the following:

  • action_type - The Type of action to be performed when the lifetime trigger is triggerec.

trigger exports the following:

  • days_before_expiry - The number of days before the Certificate expires that the action associated with this Trigger should run.
  • lifetime_percentage - The percentage at which during the Certificates Lifetime the action associated with this Trigger should run.

secret_properties exports the following:

  • content_type - The Content-Type of the Certificate, for example application/x-pkcs12 for a PFX or application/x-pem-file for a PEM.

x509_certificate_properties exports the following:


subject_alternative_names exports the following:

  • dns_names - A list of alternative DNS names (FQDNs) identified by the Certificate.
  • emails - A list of email addresses identified by this Certificate.
  • upns - A list of User Principal Names identified by the Certificate.

» Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • read - (Defaults to 5 minutes) Used when retrieving the Key Vault Certificate.