Microsoft Azure Key Vault

the microsoft azure key vault connector facilitates secure management and retrieval of secrets, keys, and certificates within the azure ecosystem microsoft azure key vault is a cloud service for securely storing and accessing secrets, keys, and certificates the azure key vault turbine connector enables swimlane turbine users to manage vaults, secrets, and access policies directly within their security workflows by integrating with azure key vault, users can automate the process of checking vault name availability, managing vaults, and updating access policies, ensuring secure and efficient secret management in their security operations limitations none to date supported versions this connector supports the latest version of the microsoft azure key vault rest api additional docs microsoft azure key vault authentication link https //learn microsoft com/en us/rest/api/azure/?view=rest keyvault keyvault 2022 07 01#how to call azure rest apis with curlmicrosoft azure key vault rest api docs https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/check name availabilitymicrosoft azure key vault other informative docs https //learn microsoft com/en us/rest/api/authorization/?view=rest keyvault keyvault 2022 07 01 configuration prerequisites before you can use the microsoft azure key vault connector for turbine, ensure you have the following prerequisites oauth 2 0 client credentials authentication with the following parameters url the endpoint url for azure key vault services client id the application (client) id registered in azure ad client secret the secret key generated for the registered application in azure ad scope the scope of the access request, which determines the resources that the access token should be valid for authentication methods to effectively utilize the microsoft azure key vault connector within swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for authentication with these parameters url endpoint for microsoft azure key vault api access client id unique identifier for the application making the request client secret a secret known only to the application and the authorization server scopes permissions the application needs to function correctly capabilities this connector provides the following capabilities check vault name availability delete vault get deleted vault get deleted vaults list by subscription id get vaults list get vaults list by subscription purge deleted vault update access policy update vault vaults create or update vaults get vaults list by resource group check vault name availability checks that the vault name is valid and is not already in use microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/check name availability delete vault deletes the specified azure key vault microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/delete get deleted vault gets the deleted azure key vault microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/get deleted get deleted vaults list by subscription id gets information about the deleted vaults in a subscription microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/list deleted get vaults list the list operation gets information about the vaults associated with the subscription microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/list get vaults list by subscription the list operation gets information about the vaults associated with the subscription microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/list by subscription purge deleted vault permanently deletes the specified vault aka purges the deleted azure key vault microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/purge deleted update access policy update access policies in a key vault in the specified subscription microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/update access policy update vault update a key vault in the specified subscription microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/update vaults create or update create or update a key vault in the specified subscription microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/create or update vaults get gets the specified azure key vault microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/get vaults list by resource group the list operation gets information about the vaults associated with the subscription and within the specified resource group microsoft azure key vault's documentation for this action can be found here https //learn microsoft com/en us/rest/api/keyvault/keyvault/vaults/list by resource group configurations microsoft key vault oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required tenant id the tenant id string optional token url must start with https //login microsoftonline com/ https //login microsoftonline com/ and then continue with the tenant id, and then be prepended with /oauth2/v2 0/token string optional client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions check vault name availability verifies the validity and availability of a vault name in microsoft azure key vault, requiring subscription id, api version, and vault details endpoint url /subscriptions/{{subscriptionid}}/providers/microsoft keyvault/checknameavailability method post input argument name type required description api version string required client api version subscriptionid string required subscription credentials which uniquely identify microsoft azure subscription the subscription id forms part of the uri for every service call name string required the vault name type string required the type of resource, microsoft keyvault/vaults output parameter type description status code number http status code of the response reason string response reason phrase nameavailable boolean name of the resource example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" { "nameavailable" true } } ] delete vault removes a specified azure key vault, requiring subscription id, resource group name, vault name, and api version endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft keyvault/vaults/{{vaultname}} method delete input argument name type required description api version string required client api version subscriptionid string required subscription credentials which uniquely identify microsoft azure subscription the subscription id forms part of the uri for every service call resourcegroupname string required the name of the resource group to which the server belongs vaultname string required the name of the vault to delete output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" {} } ] get deleted vault retrieves a deleted microsoft azure key vault using location, subscription id, vault name, and api version endpoint url /subscriptions/{{subscriptionid}}/providers/microsoft keyvault/locations/{{location}}/deletedvaults/{{vaultname}} method get input argument name type required description api version string required client api version location string required the location of the deleted vault subscriptionid string required subscription credentials which uniquely identify microsoft azure subscription the subscription id forms part of the uri for every service call vaultname string required the name of the vault output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource properties object output field properties vaultid string unique identifier location string output field location tags object output field tags deletiondate string date value scheduledpurgedate string date value purgeprotectionenabled boolean output field purgeprotectionenabled example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" { "id" "/subscriptions/00000000 0000 0000 0000 000000000000/providers/microsoft keyvault ", "name" "sample vault", "type" "microsoft keyvault/deletedvaults", "properties" {} } } ] get deleted vaults list by subscription id retrieve a list of deleted vaults within a specified azure subscription, requiring the subscription id and api version endpoint url /subscriptions/{{subscriptionid}}/providers/microsoft keyvault/deletedvaults method get input argument name type required description api version string required client api version subscriptionid string required subscription credentials which uniquely identify microsoft azure subscription the subscription id forms part of the uri for every service call output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier name string name of the resource type string type of the resource properties object output field properties vaultid string unique identifier location string output field location tags object output field tags deletiondate string date value scheduledpurgedate string date value purgeprotectionenabled boolean output field purgeprotectionenabled nextlink string output field nextlink example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" { "value" \[], "nextlink" "https //management azure com/subscriptions/00000000 0000 0000 0000 000000000000/ " } } ] get vaults list retrieves a list of vaults associated with the azure subscription, allowing filtering and api version specification endpoint url /subscriptions/{{subscriptionid}}/resources method get input argument name type required description $filter string required the filter to apply on the operation api version string required azure resource manager api version $top number optional maximum number of results to return subscriptionid string required subscription credentials which uniquely identify microsoft azuresubscription the subscription id forms part of the uri for every service call output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier name string name of the resource type string type of the resource location string output field location tags object output field tags nextlink string output field nextlink example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" { "value" \[], "nextlink" "https //management azure com/subscriptions/00000000 0000 0000 0000 000000000000/ " } } ] get vaults list by subscription retrieve information about all azure key vault vaults within a specified subscription, requiring the subscription id and api version endpoint url /subscriptions/{{subscriptionid}}/providers/microsoft keyvault/vaults method get input argument name type required description api version string required client api version $top number optional maximum number of results to return subscriptionid string required subscription credentials which uniquely identify microsoft azure subscription the subscription id forms part of the uri for every service call output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier name string name of the resource type string type of the resource location string output field location tags object output field tags systemdata object response data createdby string output field createdby createdbytype string type of the resource createdat string output field createdat lastmodifiedby string output field lastmodifiedby lastmodifiedbytype string type of the resource lastmodifiedat string output field lastmodifiedat properties object output field properties sku object output field sku family string output field family name string name of the resource tenantid string unique identifier accesspolicies array output field accesspolicies tenantid string unique identifier objectid string unique identifier permissions object output field permissions keys array output field keys example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" { "value" \[], "nextlink" "https //management azure com/subscriptions/00000000 0000 0000 0000 000000000000/ " } } ] purge deleted vault permanently removes a specified azure key vault from the deleted vaults, requiring location, subscription id, vault name, and api version endpoint url /subscriptions/{{subscriptionid}}/providers/microsoft keyvault/locations/{{location}}/deletedvaults/{{vaultname}}/purge method post input argument name type required description api version string required client api version location string required the location of the deleted vault subscriptionid string required subscription credentials which uniquely identify microsoft azure subscription the subscription id forms part of the uri for every service call vaultname string required the name of the vault output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" {} } ] update access policy updates the access policies of a specified azure key vault, requiring operation kind, resource group, subscription id, vault name, api version, and policy properties endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft keyvault/vaults/{{vaultname}}/accesspolicies/{{operationkind}} method put input argument name type required description api version string required client api version subscriptionid string required subscription credentials which uniquely identify microsoft azure subscription the subscription id forms part of the uri for every service call resourcegroupname string required the name of the resource group to which the vault belongs vaultname string required name of the vault operationkind string required name of the operation properties object required properties of the access policy accesspolicies array optional access policies tenantid string optional the azure active directory tenant id that should be used for authenticating requests to the key vault objectid string optional the object id of a user, service principal or security group in the azure active directory tenant for the vault the object id must be unique for the list of access policies permissions object optional permissions to certificates keys array optional keys secrets array optional secrets certificates array optional certificates output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier type string type of the resource properties object output field properties accesspolicies array output field accesspolicies tenantid string unique identifier objectid string unique identifier permissions object output field permissions keys array output field keys secrets array output field secrets certificates array output field certificates example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" { "id" "/subscriptions/00000000 0000 0000 0000 000000000000/resourcegroups/sample group/ ", "type" "microsoft keyvault/vaults/accesspolicies", "properties" {} } } ] update vault updates a specified microsoft azure key vault's properties within the given subscription, resource group, and vault name requires subscriptionid, resourcegroupname, vaultname, and api version endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft keyvault/vaults/{{vaultname}} method patch input argument name type required description api version string required client api version subscriptionid string required subscription credentials which uniquely identify microsoft azure subscription the subscription id forms part of the uri for every service call resourcegroupname string required the name of the resource group to which the server belongs vaultname string required name of the vault properties object optional properties of the vault tenantid string optional the azure active directory tenant id that should be used for authenticating requests to the key vault sku object optional sku details family string optional sku family name name string optional sku name to specify whether the key vault is a standard vault or a premium vault accesspolicies array optional parameter for update vault tenantid string optional the azure active directory tenant id that should be used for authenticating requests to the key vault objectid string optional the object id of a user, service principal or security group in the azure active directory tenant for the vault the object id must be unique for the list of access policies permissions object optional permissions the identity has for keys, secrets and certificates keys array optional permissions to keys secrets array optional permissions to secrets certificates array optional permissions to certificates enabledfordeployment boolean optional property to specify whether azure virtual machines are permitted to retrieve certificates stored as secrets from the key vault enabledfordiskencryption boolean optional property to specify whether azure disk encryption is permitted to retrieve secrets from the vault and unwrap keys enabledfortemplatedeployment boolean optional property to specify whether azure resource manager is permitted to retrieve secrets from the key vault publicnetworkaccess string optional property to specify whether the vault will accept traffic from public internet if set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked this will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules tags object optional the tags that will be assigned to the key vault output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource location string output field location tags object output field tags systemdata object response data createdby string output field createdby createdbytype string type of the resource createdat string output field createdat lastmodifiedby string output field lastmodifiedby lastmodifiedbytype string type of the resource lastmodifiedat string output field lastmodifiedat properties object output field properties sku object output field sku family string output field family name string name of the resource tenantid string unique identifier networkacls object output field networkacls bypass string output field bypass defaultaction string output field defaultaction iprules array output field iprules value string value for the parameter virtualnetworkrules array output field virtualnetworkrules example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" { "id" "/subscriptions/00000000 0000 0000 0000 000000000000/resourcegroups/sample resour ", "name" "sample vault", "type" "microsoft keyvault/vaults", "location" "westus", "tags" {}, "systemdata" {}, "properties" {} } } ] vaults create or update create or update a microsoft azure key vault within a specified subscription, requiring details like location and properties endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft keyvault/vaults/{{vaultname}} method put input argument name type required description api version string required client api version subscriptionid string required subscription credentials which uniquely identify microsoft azure subscription the subscription id forms part of the uri for every service call resourcegroupname string required the name of the resource group to which the server belongs vaultname string required name of the vault location string required the supported azure location where the key vault should be created tags object optional the tags that will be assigned to the key vault properties object required properties of the vault tenantid string optional the azure active directory tenant id that should be used for authenticating requests to the key vault sku object optional sku details family string optional sku family name name string optional sku name to specify whether the key vault is a standard vault or a premium vault accesspolicies array optional parameter for vaults create or update tenantid string optional the azure active directory tenant id that should be used for authenticating requests to the key vault objectid string optional object id permissions object optional permissions keys array optional permissions to keys secrets array optional permissions to secrets certificates array optional permissions to certificates enabledfordeployment boolean optional property to specify whether azure virtual machines are permitted to retrieve certificates stored as secrets from the key vault enabledfordiskencryption boolean optional property to specify whether azure disk encryption is permitted to retrieve secrets from the vault and unwrap keys enabledfortemplatedeployment boolean optional property to specify whether azure resource manager is permitted to retrieve secrets from the key vault publicnetworkaccess string optional property to specify whether the vault will accept traffic from public internet if set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource location string output field location tags object output field tags systemdata object response data createdby string output field createdby createdbytype string type of the resource createdat string output field createdat lastmodifiedby string output field lastmodifiedby lastmodifiedbytype string type of the resource lastmodifiedat string output field lastmodifiedat properties object output field properties sku object output field sku family string output field family name string name of the resource tenantid string unique identifier networkacls object output field networkacls bypass string output field bypass defaultaction string output field defaultaction iprules array output field iprules value string value for the parameter virtualnetworkrules array output field virtualnetworkrules example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" { "id" "/subscriptions/00000000 0000 0000 0000 000000000000/resourcegroups/sample resour ", "name" "sample vault", "type" "microsoft keyvault/vaults", "location" "westus", "tags" {}, "systemdata" {}, "properties" {} } } ] vaults get retrieves the specified azure key vault using subscription id, resource group name, and vault name an 'api version' parameter is required endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft keyvault/vaults/{{vaultname}} method get input argument name type required description api version string required client api version subscriptionid string required subscription credentials which uniquely identify microsoft azure subscription the subscription id forms part of the uri for every service call resourcegroupname string required the name of the resource group to which the vault belongs vaultname string required the name of the vault output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource location string output field location tags object output field tags systemdata object response data createdby string output field createdby createdbytype string type of the resource createdat string output field createdat lastmodifiedby string output field lastmodifiedby lastmodifiedbytype string type of the resource lastmodifiedat string output field lastmodifiedat properties object output field properties sku object output field sku family string output field family name string name of the resource tenantid string unique identifier accesspolicies array output field accesspolicies tenantid string unique identifier objectid string unique identifier permissions object output field permissions keys array output field keys secrets array output field secrets example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" { "id" "/subscriptions/00000000 0000 0000 0000 000000000000/resourcegroups/sample resour ", "name" "sample vault", "type" "microsoft keyvault/vaults", "location" "westus", "tags" {}, "systemdata" {}, "properties" {} } } ] vaults list by resource group retrieves information about azure key vault vaults within a specified resource group and subscription endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft keyvault/vaults method get input argument name type required description api version string required the name of the resource group to which the vault belongs $top number optional maximum number of results to return subscriptionid string required subscription credentials which uniquely identify microsoft azure subscription the subscription id forms part of the uri for every service call resourcegroupname string required the name of the resource group to which the vault belongs output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier name string name of the resource type string type of the resource location string output field location tags object output field tags systemdata object response data createdby string output field createdby createdbytype string type of the resource createdat string output field createdat lastmodifiedby string output field lastmodifiedby lastmodifiedbytype string type of the resource lastmodifiedat string output field lastmodifiedat properties object output field properties sku object output field sku family string output field family name string name of the resource tenantid string unique identifier accesspolicies array output field accesspolicies tenantid string unique identifier objectid string unique identifier permissions object output field permissions keys array output field keys example \[ { "status code" 200, "response headers" { "content type" "text/html; charset=utf 8", "x hsci cache time" "2024 12 18t12 01 22 328z", "content encoding" "gzip", "expires" "mon, 18 dec 2024 12 08 57 gmt" }, "reason" "ok", "json body" { "value" \[], "nextlink" "https //management azure com/subscriptions/00000000 0000 0000 0000 000000000000/ " } } ] response headers header description example content encoding http response header content encoding gzip content type the media type of the resource text/html; charset=utf 8 expires the date/time after which the response is considered stale mon, 18 dec 2024 12 08 57 gmt x hsci cache time http response header x hsci cache time 2024 12 18t12 01 22 328z