» azurerm_key_vault_access_policy

Manages a Key Vault Access Policy.

» Example Usage

resource "azurerm_resource_group" "example" {
  name     = "resourceGroup1"
  location = azurerm_resource_group.example.location
}

resource "azurerm_key_vault" "example" {
  name                = "testvault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  sku_name = "standard"

  tenant_id = "22222222-2222-2222-2222-222222222222"

  enabled_for_disk_encryption = true

  tags = {
    environment = "Production"
  }
}

resource "azurerm_key_vault_access_policy" "example" {
  key_vault_id = azurerm_key_vault.example.id

  tenant_id = "00000000-0000-0000-0000-000000000000"
  object_id = "11111111-1111-1111-1111-111111111111"

  key_permissions = [
    "get",
  ]

  secret_permissions = [
    "get",
  ]
}

» Argument Reference

The following arguments are supported:

  • key_vault_id - (Required) Specifies the id of the Key Vault resource. Changing this forces a new resource to be created.

  • tenant_id - (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created.

  • object_id - (Required) The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Changing this forces a new resource to be created.

  • application_id - (Optional) The object ID of an Application in Azure Active Directory.

  • certificate_permissions - (Optional) List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update.

  • key_permissions - (Required) List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey.

  • secret_permissions - (Required) List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set.

  • storage_permissions - (Optional) List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update.

» Attributes Reference

The following attributes are exported:

  • id - Key Vault Access Policy ID.

» Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Key Vault Access Policy.
  • update - (Defaults to 30 minutes) Used when updating the Key Vault Access Policy.
  • read - (Defaults to 5 minutes) Used when retrieving the Key Vault Access Policy.
  • delete - (Defaults to 30 minutes) Used when deleting the Key Vault Access Policy.

» Import

Key Vault Access Policies can be imported using the Resource ID of the Key Vault, plus some additional metadata.

If both an object_id and application_id are specified, then the Access Policy can be imported using the following code:

terraform import azurerm_key_vault_access_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111/applicationId/22222222-2222-2222-2222-222222222222

where 11111111-1111-1111-1111-111111111111 is the object_id and 22222222-2222-2222-2222-222222222222 is the application_id.


Access Policies with an object_id but no application_id can be imported using the following command:

terraform import azurerm_key_vault_access_policy.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/test-vault/objectId/11111111-1111-1111-1111-111111111111

where 11111111-1111-1111-1111-111111111111 is the object_id.