Vaults - Update Access Policy

Dienst:: Key Vault

API-Version:: 2024-11-01

Aktualisieren Sie Zugriffsrichtlinien in einem Schlüsseltresor im angegebenen Abonnement.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicies/{operationKind}?api-version=2024-11-01

URI-Parameter

Name	In	Erforderlich	Typ	Beschreibung
operationKind	path	True	AccessPolicyUpdateKind	Name des Vorgangs.
resourceGroupName	path	True	string	Der Name der Ressourcengruppe, zu der der Tresor gehört.
subscriptionId	path	True	string	Abonnementanmeldeinformationen, die das Microsoft Azure-Abonnement eindeutig identifizieren. Die Abonnement-ID ist Teil des URI für jeden Dienstaufruf.
vaultName	path	True	string pattern: ^[a-zA-Z0-9-]{3,24}$	Name des Tresors
api-version	query	True	string	Client-API-Version.

Anforderungstext

Name	Erforderlich	Typ	Beschreibung
properties	True	VaultAccessPolicyProperties	Eigenschaften der Zugriffsrichtlinie

Antworten

Name	Typ	Beschreibung
200 OK	VaultAccessPolicyParameters	Die aktualisierten Zugriffsrichtlinien
201 Created	VaultAccessPolicyParameters	Die aktualisierten Zugriffsrichtlinien
Other Status Codes	CloudError	Fehlerantwort, die beschreibt, warum der Vorgang fehlgeschlagen ist.

Beispiele

Add an access policy, or update an access policy with new permissions

Beispielanforderung

PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/add?api-version=2024-11-01

{
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}


import com.azure.resourcemanager.keyvault.fluent.models.VaultAccessPolicyParametersInner;
import com.azure.resourcemanager.keyvault.models.AccessPolicyEntry;
import com.azure.resourcemanager.keyvault.models.AccessPolicyUpdateKind;
import com.azure.resourcemanager.keyvault.models.CertificatePermissions;
import com.azure.resourcemanager.keyvault.models.KeyPermissions;
import com.azure.resourcemanager.keyvault.models.Permissions;
import com.azure.resourcemanager.keyvault.models.SecretPermissions;
import com.azure.resourcemanager.keyvault.models.VaultAccessPolicyProperties;
import java.util.Arrays;
import java.util.UUID;

/**
 * Samples for Vaults UpdateAccessPolicy.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/keyvault/resource-manager/Microsoft.KeyVault/stable/2024-11-01/examples/updateAccessPoliciesAdd.
     * json
     */
    /**
     * Sample code: Add an access policy, or update an access policy with new permissions.
     * 
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void addAnAccessPolicyOrUpdateAnAccessPolicyWithNewPermissions(
        com.azure.resourcemanager.AzureResourceManager azure) {
        azure.vaults().manager().serviceClient().getVaults().updateAccessPolicyWithResponse("sample-group",
            "sample-vault", AccessPolicyUpdateKind.ADD,
            new VaultAccessPolicyParametersInner()
                .withProperties(new VaultAccessPolicyProperties().withAccessPolicies(Arrays.asList(
                    new AccessPolicyEntry().withTenantId(UUID.fromString("00000000-0000-0000-0000-000000000000"))
                        .withObjectId("00000000-0000-0000-0000-000000000000")
                        .withPermissions(new Permissions().withKeys(Arrays.asList(KeyPermissions.ENCRYPT))
                            .withSecrets(Arrays.asList(SecretPermissions.GET))
                            .withCertificates(Arrays.asList(CertificatePermissions.GET)))))),
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential

from azure.mgmt.keyvault import KeyVaultManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-keyvault
# USAGE
    python update_access_policies_add.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = KeyVaultManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="00000000-0000-0000-0000-000000000000",
    )

    response = client.vaults.update_access_policy(
        resource_group_name="sample-group",
        vault_name="sample-vault",
        operation_kind="add",
        parameters={
            "properties": {
                "accessPolicies": [
                    {
                        "objectId": "00000000-0000-0000-0000-000000000000",
                        "permissions": {"certificates": ["get"], "keys": ["encrypt"], "secrets": ["get"]},
                        "tenantId": "00000000-0000-0000-0000-000000000000",
                    }
                ]
            }
        },
    )
    print(response)


# x-ms-original-file: specification/keyvault/resource-manager/Microsoft.KeyVault/stable/2024-11-01/examples/updateAccessPoliciesAdd.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armkeyvault_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/ee1eec42dcc710ff88db2d1bf574b2f9afe3d654/specification/keyvault/resource-manager/Microsoft.KeyVault/stable/2024-11-01/examples/updateAccessPoliciesAdd.json
func ExampleVaultsClient_UpdateAccessPolicy() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armkeyvault.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewVaultsClient().UpdateAccessPolicy(ctx, "sample-group", "sample-vault", armkeyvault.AccessPolicyUpdateKindAdd, armkeyvault.VaultAccessPolicyParameters{
		Properties: &armkeyvault.VaultAccessPolicyProperties{
			AccessPolicies: []*armkeyvault.AccessPolicyEntry{
				{
					ObjectID: to.Ptr("00000000-0000-0000-0000-000000000000"),
					Permissions: &armkeyvault.Permissions{
						Certificates: []*armkeyvault.CertificatePermissions{
							to.Ptr(armkeyvault.CertificatePermissionsGet)},
						Keys: []*armkeyvault.KeyPermissions{
							to.Ptr(armkeyvault.KeyPermissionsEncrypt)},
						Secrets: []*armkeyvault.SecretPermissions{
							to.Ptr(armkeyvault.SecretPermissionsGet)},
					},
					TenantID: to.Ptr("00000000-0000-0000-0000-000000000000"),
				}},
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.VaultAccessPolicyParameters = armkeyvault.VaultAccessPolicyParameters{
	// 	Type: to.Ptr("Microsoft.KeyVault/vaults/accessPolicies"),
	// 	ID: to.Ptr("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/"),
	// 	Properties: &armkeyvault.VaultAccessPolicyProperties{
	// 		AccessPolicies: []*armkeyvault.AccessPolicyEntry{
	// 			{
	// 				ObjectID: to.Ptr("00000000-0000-0000-0000-000000000000"),
	// 				Permissions: &armkeyvault.Permissions{
	// 					Certificates: []*armkeyvault.CertificatePermissions{
	// 						to.Ptr(armkeyvault.CertificatePermissionsGet)},
	// 						Keys: []*armkeyvault.KeyPermissions{
	// 							to.Ptr(armkeyvault.KeyPermissionsEncrypt)},
	// 							Secrets: []*armkeyvault.SecretPermissions{
	// 								to.Ptr(armkeyvault.SecretPermissionsGet)},
	// 							},
	// 							TenantID: to.Ptr("00000000-0000-0000-0000-000000000000"),
	// 					}},
	// 				},
	// 			}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { KeyVaultManagementClient } = require("@azure/arm-keyvault");
const { DefaultAzureCredential } = require("@azure/identity");
require("dotenv/config");

/**
 * This sample demonstrates how to Update access policies in a key vault in the specified subscription.
 *
 * @summary Update access policies in a key vault in the specified subscription.
 * x-ms-original-file: specification/keyvault/resource-manager/Microsoft.KeyVault/stable/2024-11-01/examples/updateAccessPoliciesAdd.json
 */
async function addAnAccessPolicyOrUpdateAnAccessPolicyWithNewPermissions() {
  const subscriptionId =
    process.env["KEYVAULT_SUBSCRIPTION_ID"] || "00000000-0000-0000-0000-000000000000";
  const resourceGroupName = process.env["KEYVAULT_RESOURCE_GROUP"] || "sample-group";
  const vaultName = "sample-vault";
  const operationKind = "add";
  const parameters = {
    properties: {
      accessPolicies: [
        {
          objectId: "00000000-0000-0000-0000-000000000000",
          permissions: {
            certificates: ["get"],
            keys: ["encrypt"],
            secrets: ["get"],
          },
          tenantId: "00000000-0000-0000-0000-000000000000",
        },
      ],
    },
  };
  const credential = new DefaultAzureCredential();
  const client = new KeyVaultManagementClient(credential, subscriptionId);
  const result = await client.vaults.updateAccessPolicy(
    resourceGroupName,
    vaultName,
    operationKind,
    parameters,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.KeyVault.Models;
using Azure.ResourceManager.KeyVault;

// Generated from example definition: specification/keyvault/resource-manager/Microsoft.KeyVault/stable/2024-11-01/examples/updateAccessPoliciesAdd.json
// this example is just showing the usage of "Vaults_UpdateAccessPolicy" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://v4.hkg1.meaqua.org/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this KeyVaultResource created on azure
// for more information of creating KeyVaultResource, please refer to the document of KeyVaultResource
string subscriptionId = "00000000-0000-0000-0000-000000000000";
string resourceGroupName = "sample-group";
string vaultName = "sample-vault";
ResourceIdentifier keyVaultResourceId = KeyVaultResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, vaultName);
KeyVaultResource keyVault = client.GetKeyVaultResource(keyVaultResourceId);

// invoke the operation
AccessPolicyUpdateKind operationKind = AccessPolicyUpdateKind.Add;
KeyVaultAccessPolicyParameters keyVaultAccessPolicyParameters = new KeyVaultAccessPolicyParameters(new KeyVaultAccessPolicyProperties(new KeyVaultAccessPolicy[]
{
new KeyVaultAccessPolicy(Guid.Parse("00000000-0000-0000-0000-000000000000"), "00000000-0000-0000-0000-000000000000", new IdentityAccessPermissions
{
Keys = {IdentityAccessKeyPermission.Encrypt},
Secrets = {IdentityAccessSecretPermission.Get},
Certificates = {IdentityAccessCertificatePermission.Get},
})
}));
KeyVaultAccessPolicyParameters result = await keyVault.UpdateAccessPolicyAsync(operationKind, keyVaultAccessPolicyParameters);

Console.WriteLine($"Succeeded: {result}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Beispiel für eine Antwort

Statuscode:: 200

{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}

Statuscode:: 201

{
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/",
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "properties": {
    "accessPolicies": [
      {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
          "keys": [
            "encrypt"
          ],
          "secrets": [
            "get"
          ],
          "certificates": [
            "get"
          ]
        }
      }
    ]
  }
}

Definitionen

Name	Beschreibung
AccessPolicyEntry	Eine Identität, die Zugriff auf den Schlüsseltresor hat. Alle Identitäten im Array müssen dieselbe Mandanten-ID wie die Mandanten-ID des Schlüsseltresors verwenden.
AccessPolicyUpdateKind	Name des Vorgangs.
CertificatePermissions	Berechtigungen für Zertifikate
CloudError	Eine Fehlerantwort vom Key Vault-Ressourcenanbieter
CloudErrorBody	Eine Fehlerantwort vom Key Vault-Ressourcenanbieter
KeyPermissions	Berechtigungen für Schlüssel
Permissions	Berechtigungen, die die Identität für Schlüssel, Geheimnisse, Zertifikate und Speicher hat.
SecretPermissions	Berechtigungen für geheime Schlüssel
StoragePermissions	Berechtigungen für Speicherkonten
VaultAccessPolicyParameters	Parameter für die Aktualisierung der Zugriffsrichtlinie in einem Tresor
VaultAccessPolicyProperties	Eigenschaften der Tresorzugriffsrichtlinie

AccessPolicyEntry

Objekt

Eine Identität, die Zugriff auf den Schlüsseltresor hat. Alle Identitäten im Array müssen dieselbe Mandanten-ID wie die Mandanten-ID des Schlüsseltresors verwenden.

Name	Typ	Beschreibung
applicationId	string (uuid)	Anwendungs-ID des Clients, der eine Anforderung im Auftrag eines Prinzipals durchführt
objectId	string	Die Objekt-ID eines Benutzers, eines Dienstprinzipals oder einer Sicherheitsgruppe im Azure Active Directory-Mandanten für den Tresor. Die Objekt-ID muss für die Liste der Zugriffsrichtlinien eindeutig sein.
permissions	Permissions	Berechtigungen, die die Identität für Schlüssel, geheime Schlüssel und Zertifikate hat.
tenantId	string (uuid)	Die Azure Active Directory-Mandanten-ID, die für die Authentifizierung von Anforderungen an den Schlüsseltresor verwendet werden soll.

AccessPolicyUpdateKind

Enumeration

Name des Vorgangs.

Wert	Beschreibung
add
replace
remove

CertificatePermissions

Enumeration

Berechtigungen für Zertifikate

Wert	Beschreibung
all
get
list
delete
create
import
update
managecontacts
getissuers
listissuers
setissuers
deleteissuers
manageissuers
recover
purge
backup
restore

CloudError

Objekt

Eine Fehlerantwort vom Key Vault-Ressourcenanbieter

Name	Typ	Beschreibung
error	CloudErrorBody	Eine Fehlerantwort vom Key Vault-Ressourcenanbieter

CloudErrorBody

Objekt

Eine Fehlerantwort vom Key Vault-Ressourcenanbieter

Name	Typ	Beschreibung
code	string	Fehlercode. Dabei handelt es sich um eine Eselsbrücke, die programmgesteuert genutzt werden kann.
message	string	Benutzerfreundliche Fehlermeldung. Die Meldung ist in der Regel lokalisiert und kann je nach Dienstversion variieren.

KeyPermissions

Enumeration

Berechtigungen für Schlüssel

Wert	Beschreibung
all
encrypt
decrypt
wrapKey
unwrapKey
sign
verify
get
list
create
update
import
delete
backup
restore
recover
purge
release
rotate
getrotationpolicy
setrotationpolicy

Permissions

Objekt

Berechtigungen, die die Identität für Schlüssel, Geheimnisse, Zertifikate und Speicher hat.

Name	Typ	Beschreibung
certificates	CertificatePermissions[]	Berechtigungen für Zertifikate
keys	KeyPermissions[]	Berechtigungen für Schlüssel
secrets	SecretPermissions[]	Berechtigungen für geheime Schlüssel
storage	StoragePermissions[]	Berechtigungen für Speicherkonten

SecretPermissions

Enumeration

Berechtigungen für geheime Schlüssel

Wert	Beschreibung
all
get
list
set
delete
backup
restore
recover
purge

StoragePermissions

Enumeration

Berechtigungen für Speicherkonten

Wert	Beschreibung
all
get
list
delete
set
update
regeneratekey
recover
purge
backup
restore
setsas
listsas
getsas
deletesas

VaultAccessPolicyParameters

Objekt

Parameter für die Aktualisierung der Zugriffsrichtlinie in einem Tresor

Name	Typ	Beschreibung
id	string	Die Ressourcen-ID der Zugriffsrichtlinie.
location	string	Der Ressourcentyp der Zugriffsrichtlinie.
name	string	Der Ressourcenname der Zugriffsrichtlinie.
properties	VaultAccessPolicyProperties	Eigenschaften der Zugriffsrichtlinie
type	string	Der Ressourcenname der Zugriffsrichtlinie.

VaultAccessPolicyProperties

Objekt

Eigenschaften der Tresorzugriffsrichtlinie

Name	Typ	Beschreibung
accessPolicies	AccessPolicyEntry[]	Ein Array von 0 bis 16 Identitäten, die Zugriff auf den Schlüsseltresor haben. Alle Identitäten im Array müssen dieselbe Mandanten-ID wie die Mandanten-ID des Schlüsseltresors verwenden.