How to create an Azure key vault by using a Resource Manager template

Azure Key Vault is a cloud service that provides a secure store for secrets like keys, passwords, and certificates. This article describes the process for deploying an Azure Resource Manager template (ARM template) to create a key vault.

An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.

Prerequisites

To complete the steps in this article:

• If you don't have an Azure subscription, create a free account before you start.

Create a Key Vault Resource Manager template

The following template shows a basic way to create a key vault. Some values are specified in the template.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVaultName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the key vault."
      }
    },
    "skuName": {
      "type": "string",
      "defaultValue": "Standard",
      "allowedValues": [
        "Standard",
        "Premium"
      ],
      "metadata": {
        "description": "Specifies whether the key vault is a standard vault or a premium vault."
      }
    }
   },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2023-07-01",
      "name": "[parameters('keyVaultName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "enabledForDeployment": false,
        "enabledForDiskEncryption": false,
        "enabledForTemplateDeployment": false,
        "tenantId": "[subscription().tenantId]",
        "enableRbacAuthorization": true,
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 90,
        "enablePurgeProtection": true,
        "sku": {
          "name": "[parameters('skuName')]",
          "family": "A"
        },
        "networkAcls": {
          "defaultAction": "Deny",
          "bypass": "AzureServices"
        }
      }
    }
  ]
}

For more about Key Vault template settings, see Key Vault ARM template reference.

More Key Vault Resource Manager templates

There are other Resource Manager templates available for Key Vault objects:

You can find more Key Vault templates here: Key Vault Resource Manager reference.

Deploy the templates

You can use the Azure portal to deploy the preceding templates by using the Build your own template in editor option as described here: Deploy resources from a custom template.

You can also save the preceding templates to files and use these commands: New-AzResourceGroupDeployment and az deployment group create:

New-AzResourceGroupDeployment -ResourceGroupName ExampleGroup -TemplateFile key-vault-template.json

az deployment group create --resource-group ExampleGroup --template-file key-vault-template.json

Clean up resources

If you plan to continue with subsequent quickstarts and tutorials, you can leave these resources in place. When you don't need the resources any longer, delete the resource group. If you delete the group, the key vault and related resources are also deleted. To delete the resource group by using the Azure CLI or Azure PowerShell, complete these steps:

echo "Enter the Resource Group name:" &&
read resourceGroupName &&
az group delete --name $resourceGroupName &&
echo "Press [ENTER] to continue ..."

$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"
Remove-AzResourceGroup -Name $resourceGroupName
Write-Host "Press [ENTER] to continue..."

Resources

• Read an Overview of Azure Key Vault.
• Learn more about Azure Resource Manager.
• Review the Azure Key Vault security overview

Next steps

• Secure access to a key vault
• Authenticate to a key vault
• Azure Key Vault Developer's Guide