keyvault.azure.com/v1api20230701
APIVersion
| Value | Description |
|---|---|
| “2023-07-01” |
Vault
Generator information: - Generated from: /keyvault/resource-manager/Microsoft.KeyVault/stable/2023-07-01/keyvault.json - ARM URI: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}
Used by: VaultList.
| Property | Description | Type |
|---|---|---|
| metav1.TypeMeta | ||
| metav1.ObjectMeta | ||
| spec | Vault_Spec Optional |
|
| status | Vault_STATUS Optional |
Vault_Spec
| Property | Description | Type |
|---|---|---|
| azureName | The name of the resource in Azure. This is often the same as the name of the resource in Kubernetes but it doesn’t have to be. | string Optional |
| location | The supported Azure location where the key vault should be created. | string Required |
| operatorSpec | The specification for configuring operator behavior. This field is interpreted by the operator and not passed directly to Azure | VaultOperatorSpec Optional |
| owner | The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also controls the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a reference to a resources.azure.com/ResourceGroup resource | genruntime.KnownResourceReference Required |
| properties | Properties of the vault | VaultProperties Required |
| tags | The tags that will be assigned to the key vault. | map[string]string Optional |
Vault_STATUS
| Property | Description | Type |
|---|---|---|
| conditions | The observed state of the resource | conditions.Condition[] Optional |
| id | Fully qualified identifier of the key vault resource. | string Optional |
| location | Azure location of the key vault resource. | string Optional |
| name | Name of the key vault resource. | string Optional |
| properties | Properties of the vault | VaultProperties_STATUS Optional |
| systemData | System metadata for the key vault. | SystemData_STATUS Optional |
| tags | Tags assigned to the key vault resource. | map[string]string Optional |
| type | Resource type of the key vault resource. | string Optional |
VaultList
Generator information: - Generated from: /keyvault/resource-manager/Microsoft.KeyVault/stable/2023-07-01/keyvault.json - ARM URI: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}
| Property | Description | Type |
|---|---|---|
| metav1.TypeMeta | ||
| metav1.ListMeta | ||
| items | Vault[] Optional |
Vault_Spec
Used by: Vault.
| Property | Description | Type |
|---|---|---|
| azureName | The name of the resource in Azure. This is often the same as the name of the resource in Kubernetes but it doesn’t have to be. | string Optional |
| location | The supported Azure location where the key vault should be created. | string Required |
| operatorSpec | The specification for configuring operator behavior. This field is interpreted by the operator and not passed directly to Azure | VaultOperatorSpec Optional |
| owner | The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also controls the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a reference to a resources.azure.com/ResourceGroup resource | genruntime.KnownResourceReference Required |
| properties | Properties of the vault | VaultProperties Required |
| tags | The tags that will be assigned to the key vault. | map[string]string Optional |
Vault_STATUS
Resource information with extended details.
Used by: Vault.
| Property | Description | Type |
|---|---|---|
| conditions | The observed state of the resource | conditions.Condition[] Optional |
| id | Fully qualified identifier of the key vault resource. | string Optional |
| location | Azure location of the key vault resource. | string Optional |
| name | Name of the key vault resource. | string Optional |
| properties | Properties of the vault | VaultProperties_STATUS Optional |
| systemData | System metadata for the key vault. | SystemData_STATUS Optional |
| tags | Tags assigned to the key vault resource. | map[string]string Optional |
| type | Resource type of the key vault resource. | string Optional |
SystemData_STATUS
Metadata pertaining to creation and last modification of the key vault resource.
Used by: Vault_STATUS.
| Property | Description | Type |
|---|---|---|
| createdAt | The timestamp of the key vault resource creation (UTC). | string Optional |
| createdBy | The identity that created the key vault resource. | string Optional |
| createdByType | The type of identity that created the key vault resource. | IdentityType_STATUS Optional |
| lastModifiedAt | The timestamp of the key vault resource last modification (UTC). | string Optional |
| lastModifiedBy | The identity that last modified the key vault resource. | string Optional |
| lastModifiedByType | The type of identity that last modified the key vault resource. | IdentityType_STATUS Optional |
VaultOperatorSpec
Details for configuring operator behavior. Fields in this struct are interpreted by the operator directly rather than being passed to Azure
Used by: Vault_Spec.
| Property | Description | Type |
|---|---|---|
| configMapExpressions | configures where to place operator written dynamic ConfigMaps (created with CEL expressions). | core.DestinationExpression[] Optional |
| secretExpressions | configures where to place operator written dynamic secrets (created with CEL expressions). | core.DestinationExpression[] Optional |
VaultProperties
Properties of the vault
Used by: Vault_Spec.
| Property | Description | Type |
|---|---|---|
| accessPolicies | An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault’s tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required. |
AccessPolicyEntry[] Optional |
| createMode | The vault’s create mode to indicate whether the vault need to be recovered or not. | VaultProperties_CreateMode Optional |
| enabledForDeployment | Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool Optional |
| enabledForDiskEncryption | Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool Optional |
| enabledForTemplateDeployment | Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool Optional |
| enablePurgeProtection | Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. | bool Optional |
| enableRbacAuthorization | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | bool Optional |
| enableSoftDelete | Property to specify whether the ‘soft delete’ functionality is enabled for this key vault. If it’s not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. | bool Optional |
| networkAcls | Rules governing the accessibility of the key vault from specific network locations. | NetworkRuleSet Optional |
| provisioningState | Provisioning state of the vault. | VaultProperties_ProvisioningState Optional |
| publicNetworkAccess | Property to specify whether the vault will accept traffic from public internet. If set to ‘disabled’ all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. | string Optional |
| sku | SKU details | Sku Required |
| softDeleteRetentionInDays | softDelete data retention days. It accepts >=7 and <=90. | int Optional |
| tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Optional |
| tenantIdFromConfig | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | genruntime.ConfigMapReference Optional |
| vaultUri | The URI of the vault for performing operations on keys and secrets. | string Optional |
VaultProperties_STATUS
Properties of the vault
Used by: Vault_STATUS.
| Property | Description | Type |
|---|---|---|
| accessPolicies | An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault’s tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required. |
AccessPolicyEntry_STATUS[] Optional |
| createMode | The vault’s create mode to indicate whether the vault need to be recovered or not. | VaultProperties_CreateMode_STATUS Optional |
| enabledForDeployment | Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool Optional |
| enabledForDiskEncryption | Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool Optional |
| enabledForTemplateDeployment | Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool Optional |
| enablePurgeProtection | Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. | bool Optional |
| enableRbacAuthorization | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | bool Optional |
| enableSoftDelete | Property to specify whether the ‘soft delete’ functionality is enabled for this key vault. If it’s not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. | bool Optional |
| hsmPoolResourceId | The resource id of HSM Pool. | string Optional |
| networkAcls | Rules governing the accessibility of the key vault from specific network locations. | NetworkRuleSet_STATUS Optional |
| privateEndpointConnections | List of private endpoint connections associated with the key vault. | PrivateEndpointConnectionItem_STATUS[] Optional |
| provisioningState | Provisioning state of the vault. | VaultProperties_ProvisioningState_STATUS Optional |
| publicNetworkAccess | Property to specify whether the vault will accept traffic from public internet. If set to ‘disabled’ all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. | string Optional |
| sku | SKU details | Sku_STATUS Optional |
| softDeleteRetentionInDays | softDelete data retention days. It accepts >=7 and <=90. | int Optional |
| tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Optional |
| vaultUri | The URI of the vault for performing operations on keys and secrets. | string Optional |
AccessPolicyEntry
An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault’s tenant ID.
Used by: VaultProperties.
| Property | Description | Type |
|---|---|---|
| applicationId | Application ID of the client making request on behalf of a principal | string Optional |
| applicationIdFromConfig | Application ID of the client making request on behalf of a principal | genruntime.ConfigMapReference Optional |
| objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string Optional |
| objectIdFromConfig | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | genruntime.ConfigMapReference Optional |
| permissions | Permissions the identity has for keys, secrets and certificates. | Permissions Required |
| tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Optional |
| tenantIdFromConfig | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | genruntime.ConfigMapReference Optional |
AccessPolicyEntry_STATUS
An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault’s tenant ID.
Used by: VaultProperties_STATUS.
| Property | Description | Type |
|---|---|---|
| applicationId | Application ID of the client making request on behalf of a principal | string Optional |
| objectId | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. | string Optional |
| permissions | Permissions the identity has for keys, secrets and certificates. | Permissions_STATUS Optional |
| tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string Optional |
IdentityType_STATUS
The type of identity.
Used by: SystemData_STATUS, and SystemData_STATUS.
| Value | Description |
|---|---|
| “Application” | |
| “Key” | |
| “ManagedIdentity” | |
| “User” |
NetworkRuleSet
A set of rules governing the network accessibility of a vault.
Used by: VaultProperties.
| Property | Description | Type |
|---|---|---|
| bypass | Tells what traffic can bypass network rules. This can be ‘AzureServices’ or ‘None’. If not specified the default is ‘AzureServices’. | NetworkRuleSet_Bypass Optional |
| defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | NetworkRuleSet_DefaultAction Optional |
| ipRules | The list of IP address rules. | IPRule[] Optional |
| virtualNetworkRules | The list of virtual network rules. | VirtualNetworkRule[] Optional |
NetworkRuleSet_STATUS
A set of rules governing the network accessibility of a vault.
Used by: VaultProperties_STATUS.
| Property | Description | Type |
|---|---|---|
| bypass | Tells what traffic can bypass network rules. This can be ‘AzureServices’ or ‘None’. If not specified the default is ‘AzureServices’. | NetworkRuleSet_Bypass_STATUS Optional |
| defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | NetworkRuleSet_DefaultAction_STATUS Optional |
| ipRules | The list of IP address rules. | IPRule_STATUS[] Optional |
| virtualNetworkRules | The list of virtual network rules. | VirtualNetworkRule_STATUS[] Optional |
PrivateEndpointConnectionItem_STATUS
Private endpoint connection item.
Used by: VaultProperties_STATUS.
| Property | Description | Type |
|---|---|---|
| etag | Modified whenever there is a change in the state of private endpoint connection. | string Optional |
| id | Id of private endpoint connection. | string Optional |
| privateEndpoint | Properties of the private endpoint object. | PrivateEndpoint_STATUS Optional |
| privateLinkServiceConnectionState | Approval state of the private link connection. | PrivateLinkServiceConnectionState_STATUS Optional |
| provisioningState | Provisioning state of the private endpoint connection. | PrivateEndpointConnectionProvisioningState_STATUS Optional |
Sku
SKU details
Used by: VaultProperties.
| Property | Description | Type |
|---|---|---|
| family | SKU family name | Sku_Family Required |
| name | SKU name to specify whether the key vault is a standard vault or a premium vault. | Sku_Name Required |
Sku_STATUS
SKU details
Used by: VaultProperties_STATUS.
| Property | Description | Type |
|---|---|---|
| family | SKU family name | Sku_Family_STATUS Optional |
| name | SKU name to specify whether the key vault is a standard vault or a premium vault. | Sku_Name_STATUS Optional |
VaultProperties_CreateMode
Used by: VaultProperties.
| Value | Description |
|---|---|
| “createOrRecover” | |
| “default” | |
| “purgeThenCreate” | |
| “recover” |
VaultProperties_CreateMode_STATUS
Used by: VaultProperties_STATUS.
| Value | Description |
|---|---|
| “createOrRecover” | |
| “default” | |
| “purgeThenCreate” | |
| “recover” |
VaultProperties_ProvisioningState
Used by: VaultProperties.
| Value | Description |
|---|---|
| “RegisteringDns” | |
| “Succeeded” |
VaultProperties_ProvisioningState_STATUS
Used by: VaultProperties_STATUS.
| Value | Description |
|---|---|
| “RegisteringDns” | |
| “Succeeded” |
IPRule
A rule governing the accessibility of a vault from a specific ip address or ip range.
Used by: NetworkRuleSet.
| Property | Description | Type |
|---|---|---|
| value | An IPv4 address range in CIDR notation, such as ‘124.56.78.91’ (simple IP address) or ‘124.56.78.0/24’ (all addresses that start with 124.56.78). | string Required |
IPRule_STATUS
A rule governing the accessibility of a vault from a specific ip address or ip range.
Used by: NetworkRuleSet_STATUS.
| Property | Description | Type |
|---|---|---|
| value | An IPv4 address range in CIDR notation, such as ‘124.56.78.91’ (simple IP address) or ‘124.56.78.0/24’ (all addresses that start with 124.56.78). | string Optional |
NetworkRuleSet_Bypass
Used by: NetworkRuleSet.
| Value | Description |
|---|---|
| “AzureServices” | |
| “None” |
NetworkRuleSet_Bypass_STATUS
Used by: NetworkRuleSet_STATUS.
| Value | Description |
|---|---|
| “AzureServices” | |
| “None” |
NetworkRuleSet_DefaultAction
Used by: NetworkRuleSet.
| Value | Description |
|---|---|
| “Allow” | |
| “Deny” |
NetworkRuleSet_DefaultAction_STATUS
Used by: NetworkRuleSet_STATUS.
| Value | Description |
|---|---|
| “Allow” | |
| “Deny” |
Permissions
Permissions the identity has for keys, secrets, certificates and storage.
Used by: AccessPolicyEntry.
| Property | Description | Type |
|---|---|---|
| certificates | Permissions to certificates | Permissions_Certificates[] Optional |
| keys | Permissions to keys | Permissions_Keys[] Optional |
| secrets | Permissions to secrets | Permissions_Secrets[] Optional |
| storage | Permissions to storage accounts | Permissions_Storage[] Optional |
Permissions_STATUS
Permissions the identity has for keys, secrets, certificates and storage.
Used by: AccessPolicyEntry_STATUS.
| Property | Description | Type |
|---|---|---|
| certificates | Permissions to certificates | Permissions_Certificates_STATUS[] Optional |
| keys | Permissions to keys | Permissions_Keys_STATUS[] Optional |
| secrets | Permissions to secrets | Permissions_Secrets_STATUS[] Optional |
| storage | Permissions to storage accounts | Permissions_Storage_STATUS[] Optional |
PrivateEndpoint_STATUS
Private endpoint object properties.
Used by: PrivateEndpointConnectionItem_STATUS.
| Property | Description | Type |
|---|---|---|
| id | Full identifier of the private endpoint resource. | string Optional |
PrivateEndpointConnectionProvisioningState_STATUS
The current provisioning state.
Used by: PrivateEndpointConnectionItem_STATUS.
| Value | Description |
|---|---|
| “Creating” | |
| “Deleting” | |
| “Disconnected” | |
| “Failed” | |
| “Succeeded” | |
| “Updating” |
PrivateLinkServiceConnectionState_STATUS
An object that represents the approval state of the private link connection.
Used by: PrivateEndpointConnectionItem_STATUS.
| Property | Description | Type |
|---|---|---|
| actionsRequired | A message indicating if changes on the service provider require any updates on the consumer. | PrivateLinkServiceConnectionState_ActionsRequired_STATUS Optional |
| description | The reason for approval or rejection. | string Optional |
| status | Indicates whether the connection has been approved, rejected or removed by the key vault owner. | PrivateEndpointServiceConnectionStatus_STATUS Optional |
Sku_Family
Used by: Sku.
| Value | Description |
|---|---|
| “A” |
Sku_Family_STATUS
Used by: Sku_STATUS.
| Value | Description |
|---|---|
| “A” |
Sku_Name
Used by: Sku.
| Value | Description |
|---|---|
| “premium” | |
| “standard” |
Sku_Name_STATUS
Used by: Sku_STATUS.
| Value | Description |
|---|---|
| “premium” | |
| “standard” |
VirtualNetworkRule
A rule governing the accessibility of a vault from a specific virtual network.
Used by: NetworkRuleSet.
| Property | Description | Type |
|---|---|---|
| ignoreMissingVnetServiceEndpoint | Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. | bool Optional |
| reference | Full resource id of a vnet subnet, such as ‘/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1’. | genruntime.ResourceReference Required |
VirtualNetworkRule_STATUS
A rule governing the accessibility of a vault from a specific virtual network.
Used by: NetworkRuleSet_STATUS.
| Property | Description | Type |
|---|---|---|
| id | Full resource id of a vnet subnet, such as ‘/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1’. | string Optional |
| ignoreMissingVnetServiceEndpoint | Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. | bool Optional |
Permissions_Certificates
Used by: Permissions.
| Value | Description |
|---|---|
| “all” | |
| “backup” | |
| “create” | |
| “delete” | |
| “deleteissuers” | |
| “get” | |
| “getissuers” | |
| “import” | |
| “list” | |
| “listissuers” | |
| “managecontacts” | |
| “manageissuers” | |
| “purge” | |
| “recover” | |
| “restore” | |
| “setissuers” | |
| “update” |
Permissions_Certificates_STATUS
Used by: Permissions_STATUS.
| Value | Description |
|---|---|
| “all” | |
| “backup” | |
| “create” | |
| “delete” | |
| “deleteissuers” | |
| “get” | |
| “getissuers” | |
| “import” | |
| “list” | |
| “listissuers” | |
| “managecontacts” | |
| “manageissuers” | |
| “purge” | |
| “recover” | |
| “restore” | |
| “setissuers” | |
| “update” |
Permissions_Keys
Used by: Permissions.
| Value | Description |
|---|---|
| “all” | |
| “backup” | |
| “create” | |
| “decrypt” | |
| “delete” | |
| “encrypt” | |
| “get” | |
| “getrotationpolicy” | |
| “import” | |
| “list” | |
| “purge” | |
| “recover” | |
| “release” | |
| “restore” | |
| “rotate” | |
| “setrotationpolicy” | |
| “sign” | |
| “unwrapKey” | |
| “update” | |
| “verify” | |
| “wrapKey” |
Permissions_Keys_STATUS
Used by: Permissions_STATUS.
| Value | Description |
|---|---|
| “all” | |
| “backup” | |
| “create” | |
| “decrypt” | |
| “delete” | |
| “encrypt” | |
| “get” | |
| “getrotationpolicy” | |
| “import” | |
| “list” | |
| “purge” | |
| “recover” | |
| “release” | |
| “restore” | |
| “rotate” | |
| “setrotationpolicy” | |
| “sign” | |
| “unwrapKey” | |
| “update” | |
| “verify” | |
| “wrapKey” |
Permissions_Secrets
Used by: Permissions.
| Value | Description |
|---|---|
| “all” | |
| “backup” | |
| “delete” | |
| “get” | |
| “list” | |
| “purge” | |
| “recover” | |
| “restore” | |
| “set” |
Permissions_Secrets_STATUS
Used by: Permissions_STATUS.
| Value | Description |
|---|---|
| “all” | |
| “backup” | |
| “delete” | |
| “get” | |
| “list” | |
| “purge” | |
| “recover” | |
| “restore” | |
| “set” |
Permissions_Storage
Used by: Permissions.
| Value | Description |
|---|---|
| “all” | |
| “backup” | |
| “delete” | |
| “deletesas” | |
| “get” | |
| “getsas” | |
| “list” | |
| “listsas” | |
| “purge” | |
| “recover” | |
| “regeneratekey” | |
| “restore” | |
| “set” | |
| “setsas” | |
| “update” |
Permissions_Storage_STATUS
Used by: Permissions_STATUS.
| Value | Description |
|---|---|
| “all” | |
| “backup” | |
| “delete” | |
| “deletesas” | |
| “get” | |
| “getsas” | |
| “list” | |
| “listsas” | |
| “purge” | |
| “recover” | |
| “regeneratekey” | |
| “restore” | |
| “set” | |
| “setsas” | |
| “update” |
PrivateEndpointServiceConnectionStatus_STATUS
The private endpoint connection status.
Used by: PrivateLinkServiceConnectionState_STATUS.
| Value | Description |
|---|---|
| “Approved” | |
| “Disconnected” | |
| “Pending” | |
| “Rejected” |
PrivateLinkServiceConnectionState_ActionsRequired_STATUS
Used by: PrivateLinkServiceConnectionState_STATUS.
| Value | Description |
|---|---|
| “None” |