| create_key_vault {AzureKeyVault} | R Documentation |
Create Azure key vault
Description
Method for the AzureRMR::az_resource_group class.
Usage
create_key_vault(name, location = self$location, initial_access = default_access(),
sku = "Standard", ..., wait = TRUE)
Arguments
-
name: The name of the key vault. -
location: The location/region in which to create the account. Defaults to the resource group location. -
initial_access: The user or service principals that will have access to the vault. This should be a list of objects of type[vault_access_policy], created by the function of the same name. The default is to grant access to the logged-in user or service principal of the current Resource Manager client. -
sku: The sku for the vault. Set this to "Premium" to enable the use of hardware security modules (HSMs). -
allow_vm_access: Whether to allow Azure virtual machines to retrieve certificates from the vault. -
allow_arm_access: Whether to allow Azure Resource Manager to retrieve secrets from the vault for template deployment purposes. -
allow_disk_encryption_access: Whether to allow Azure Disk Encryption to retrieve secrets and keys from the vault. -
soft_delete: Whether soft-deletion should be enabled for this vault. Soft-deletion is a feature which protects both the vault itself and its contents from accidental/malicious deletion; see below. -
purge_protection: Whether purge protection is enabled. If this is TRUE and soft-deletion is enabled for the vault, manual purges are not allowed. Has no effect ifsoft_delete=FALSE. -
...: Other named arguments to pass to the az_key_vault initialization function. -
wait: Whether to wait for the resource creation to complete before returning.
Details
This method deploys a new key vault resource, with parameters given by the arguments. A key vault is a secure facility for storing and managing encryption keys, certificates, storage account keys, and generic secrets.
A new key vault will have access granted to the user or service principal used to sign in to the Azure Resource Manager client. To manage access policies after creation, use the add_principal, list_principals and remove_principal methods of the key vault object.
Key Vault's soft delete feature allows recovery of the deleted vaults and vault objects, known as soft-delete. Specifically, it addresses the following scenarios:
Support for recoverable deletion of a key vault
Support for recoverable deletion of key vault objects (keys, secrets, certificates)
With this feature, the delete operation on a key vault or key vault object is a soft-delete, effectively holding the resources for a given retention period (90 days), while giving the appearance that the object is deleted. The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
Soft-deleted vaults can be purged (permanently removed) by calling the purge_key_vault method for the resource group or subscription classes. The purge protection optional feature provides an additional layer of protection by forbidding manual purges; when this is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed.
To see what soft-deleted key vaults exist, call the list_deleted_key_vaults method. To recover a soft-deleted key vault, call the create_key_vault method from the vault's original resource group, with the vault name. To purge (permanently delete) it, call the purge_key_vault method.
Value
An object of class az_key_vault representing the created key vault.
See Also
get_key_vault, delete_key_vault, purge_key_vault, az_key_vault, vault_access_policy
Azure Key Vault documentation, Azure Key Vault API reference
Examples
## Not run:
rg <- AzureRMR::get_azure_login()$
get_subscription("subscription_id")$
get_resource_group("rgname")
# create a new key vault
rg$create_key_vault("mykeyvault")
# create a new key vault, and grant access to a service principal
gr <- AzureGraph::get_graph_login()
svc <- gr$get_service_principal("app_id")
rg$create_key_vault("mykeyvault",
initial_access=list(vault_access_policy(svc, tenant=NULL)))
## End(Not run)