Azure v6.21.0, Mar 7 25

We recommend using Azure Native.

Azure v6.21.0 published on Friday, Mar 7, 2025 by Pulumi

pulumi/pulumi-azure

azure.keyvault.ManagedHardwareSecurityModuleKey

Explore with Pulumi AI

We recommend using Azure Native.

Azure v6.21.0 published on Friday, Mar 7, 2025 by Pulumi

pulumi/pulumi-azure

resources:
  example:
    type: azure:keyvault:ManagedHardwareSecurityModule
    properties:
      name: example
      resourceGroupName: ${exampleAzurermResourceGroup.name}
      location: ${exampleAzurermResourceGroup.location}
      skuName: Standard_B1
      tenantId: ${current.tenantId}
      adminObjectIds:
        - ${current.objectId}
      purgeProtectionEnabled: false
      activeConfig:
        - securityDomainCertificate:
            - ${cert[0].id}
            - ${cert[1].id}
            - ${cert[2].id}
          securityDomainQuorum: 2
  # this gives your service principal the HSM Crypto User role which lets you create and destroy hsm keys
  hsm-crypto-user:
    type: azure:keyvault:ManagedHardwareSecurityModuleRoleAssignment
    properties:
      managedHsmId: ${test.id}
      name: 1e243909-064c-6ac3-84e9-1c8bf8d6ad22
      scope: /keys
      roleDefinitionId: /Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b
      principalId: ${current.objectId}
  # this gives your service principal the HSM Crypto Officer role which lets you purge hsm keys
  hsm-crypto-officer:
    type: azure:keyvault:ManagedHardwareSecurityModuleRoleAssignment
    properties:
      managedHsmId: ${test.id}
      name: 1e243909-064c-6ac3-84e9-1c8bf8d6ad23
      scope: /keys
      roleDefinitionId: /Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778
      principalId: ${current.objectId}
  exampleManagedHardwareSecurityModuleKey:
    type: azure:keyvault:ManagedHardwareSecurityModuleKey
    name: example
    properties:
      name: example
      managedHsmId: ${test.id}
      keyType: EC-HSM
      curve: P-521
      keyOpts:
        - sign
    options:
      dependsOn:
        - ${testAzurermKeyVaultManagedHardwareSecurityModuleRoleAssignment}
        - ${test1}
variables:
  current:
    fn::invoke:
      function: azure:core:getClientConfig
      arguments: {}

Create ManagedHardwareSecurityModuleKey Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ManagedHardwareSecurityModuleKey(name: string, args: ManagedHardwareSecurityModuleKeyArgs, opts?: CustomResourceOptions);

@overload
def ManagedHardwareSecurityModuleKey(resource_name: str,
                                     args: ManagedHardwareSecurityModuleKeyArgs,
                                     opts: Optional[ResourceOptions] = None)

@overload
def ManagedHardwareSecurityModuleKey(resource_name: str,
                                     opts: Optional[ResourceOptions] = None,
                                     key_opts: Optional[Sequence[str]] = None,
                                     key_type: Optional[str] = None,
                                     managed_hsm_id: Optional[str] = None,
                                     curve: Optional[str] = None,
                                     expiration_date: Optional[str] = None,
                                     key_size: Optional[int] = None,
                                     name: Optional[str] = None,
                                     not_before_date: Optional[str] = None,
                                     tags: Optional[Mapping[str, str]] = None)

func NewManagedHardwareSecurityModuleKey(ctx *Context, name string, args ManagedHardwareSecurityModuleKeyArgs, opts ...ResourceOption) (*ManagedHardwareSecurityModuleKey, error)

public ManagedHardwareSecurityModuleKey(string name, ManagedHardwareSecurityModuleKeyArgs args, CustomResourceOptions? opts = null)

public ManagedHardwareSecurityModuleKey(String name, ManagedHardwareSecurityModuleKeyArgs args)
public ManagedHardwareSecurityModuleKey(String name, ManagedHardwareSecurityModuleKeyArgs args, CustomResourceOptions options)

type: azure:keyvault:ManagedHardwareSecurityModuleKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ManagedHardwareSecurityModuleKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ManagedHardwareSecurityModuleKeyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ManagedHardwareSecurityModuleKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ManagedHardwareSecurityModuleKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ManagedHardwareSecurityModuleKeyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var managedHardwareSecurityModuleKeyResource = new Azure.KeyVault.ManagedHardwareSecurityModuleKey("managedHardwareSecurityModuleKeyResource", new()
{
    KeyOpts = new[]
    {
        "string",
    },
    KeyType = "string",
    ManagedHsmId = "string",
    Curve = "string",
    ExpirationDate = "string",
    KeySize = 0,
    Name = "string",
    NotBeforeDate = "string",
    Tags = 
    {
        { "string", "string" },
    },
});

example, err := keyvault.NewManagedHardwareSecurityModuleKey(ctx, "managedHardwareSecurityModuleKeyResource", &keyvault.ManagedHardwareSecurityModuleKeyArgs{
	KeyOpts: pulumi.StringArray{
		pulumi.String("string"),
	},
	KeyType:        pulumi.String("string"),
	ManagedHsmId:   pulumi.String("string"),
	Curve:          pulumi.String("string"),
	ExpirationDate: pulumi.String("string"),
	KeySize:        pulumi.Int(0),
	Name:           pulumi.String("string"),
	NotBeforeDate:  pulumi.String("string"),
	Tags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
})

var managedHardwareSecurityModuleKeyResource = new ManagedHardwareSecurityModuleKey("managedHardwareSecurityModuleKeyResource", ManagedHardwareSecurityModuleKeyArgs.builder()
    .keyOpts("string")
    .keyType("string")
    .managedHsmId("string")
    .curve("string")
    .expirationDate("string")
    .keySize(0)
    .name("string")
    .notBeforeDate("string")
    .tags(Map.of("string", "string"))
    .build());

managed_hardware_security_module_key_resource = azure.keyvault.ManagedHardwareSecurityModuleKey("managedHardwareSecurityModuleKeyResource",
    key_opts=["string"],
    key_type="string",
    managed_hsm_id="string",
    curve="string",
    expiration_date="string",
    key_size=0,
    name="string",
    not_before_date="string",
    tags={
        "string": "string",
    })

const managedHardwareSecurityModuleKeyResource = new azure.keyvault.ManagedHardwareSecurityModuleKey("managedHardwareSecurityModuleKeyResource", {
    keyOpts: ["string"],
    keyType: "string",
    managedHsmId: "string",
    curve: "string",
    expirationDate: "string",
    keySize: 0,
    name: "string",
    notBeforeDate: "string",
    tags: {
        string: "string",
    },
});

type: azure:keyvault:ManagedHardwareSecurityModuleKey
properties:
    curve: string
    expirationDate: string
    keyOpts:
        - string
    keySize: 0
    keyType: string
    managedHsmId: string
    name: string
    notBeforeDate: string
    tags:
        string: string

ManagedHardwareSecurityModuleKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ManagedHardwareSecurityModuleKey resource accepts the following input properties:

KeyOpts List<string>: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
KeyType string: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
ManagedHsmId string: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
Curve string: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
ExpirationDate string: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
KeySize int: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
Name string: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
NotBeforeDate string: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
Tags Dictionary<string, string>: A mapping of tags to assign to the resource.

KeyOpts []string: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
KeyType string: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
ManagedHsmId string: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
Curve string: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
ExpirationDate string: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
KeySize int: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
Name string: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
NotBeforeDate string: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
Tags map[string]string: A mapping of tags to assign to the resource.

keyOpts List<String>: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
keyType String: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
managedHsmId String: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
curve String: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
expirationDate String: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
keySize Integer: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
name String: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
notBeforeDate String: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
tags Map<String,String>: A mapping of tags to assign to the resource.

keyOpts string[]: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
keyType string: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
managedHsmId string: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
curve string: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
expirationDate string: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
keySize number: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
name string: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
notBeforeDate string: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
tags {[key: string]: string}: A mapping of tags to assign to the resource.

key_opts Sequence[str]: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
key_type str: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
managed_hsm_id str: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
curve str: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
expiration_date str: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
key_size int: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
name str: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
not_before_date str: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
tags Mapping[str, str]: A mapping of tags to assign to the resource.

keyOpts List<String>: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
keyType String: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
managedHsmId String: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
curve String: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
expirationDate String: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
keySize Number: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
name String: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
notBeforeDate String: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
tags Map<String>: A mapping of tags to assign to the resource.

Outputs

All input properties are implicitly available as output properties. Additionally, the ManagedHardwareSecurityModuleKey resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
VersionedId string: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

Id string: The provider-assigned unique ID for this managed resource.
VersionedId string: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

id String: The provider-assigned unique ID for this managed resource.
versionedId String: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

id string: The provider-assigned unique ID for this managed resource.
versionedId string: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

id str: The provider-assigned unique ID for this managed resource.
versioned_id str: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

id String: The provider-assigned unique ID for this managed resource.
versionedId String: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

Look up Existing ManagedHardwareSecurityModuleKey Resource

Get an existing ManagedHardwareSecurityModuleKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ManagedHardwareSecurityModuleKeyState, opts?: CustomResourceOptions): ManagedHardwareSecurityModuleKey

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        curve: Optional[str] = None,
        expiration_date: Optional[str] = None,
        key_opts: Optional[Sequence[str]] = None,
        key_size: Optional[int] = None,
        key_type: Optional[str] = None,
        managed_hsm_id: Optional[str] = None,
        name: Optional[str] = None,
        not_before_date: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None,
        versioned_id: Optional[str] = None) -> ManagedHardwareSecurityModuleKey

func GetManagedHardwareSecurityModuleKey(ctx *Context, name string, id IDInput, state *ManagedHardwareSecurityModuleKeyState, opts ...ResourceOption) (*ManagedHardwareSecurityModuleKey, error)

public static ManagedHardwareSecurityModuleKey Get(string name, Input<string> id, ManagedHardwareSecurityModuleKeyState? state, CustomResourceOptions? opts = null)

public static ManagedHardwareSecurityModuleKey get(String name, Output<String> id, ManagedHardwareSecurityModuleKeyState state, CustomResourceOptions options)

resources:  _:    type: azure:keyvault:ManagedHardwareSecurityModuleKey    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Curve string: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
ExpirationDate string: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
KeyOpts List<string>: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
KeySize int: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
KeyType string: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
ManagedHsmId string: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
Name string: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
NotBeforeDate string: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
Tags Dictionary<string, string>: A mapping of tags to assign to the resource.
VersionedId string: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

Curve string: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
ExpirationDate string: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
KeyOpts []string: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
KeySize int: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
KeyType string: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
ManagedHsmId string: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
Name string: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
NotBeforeDate string: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
Tags map[string]string: A mapping of tags to assign to the resource.
VersionedId string: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

curve String: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
expirationDate String: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
keyOpts List<String>: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
keySize Integer: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
keyType String: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
managedHsmId String: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
name String: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
notBeforeDate String: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
tags Map<String,String>: A mapping of tags to assign to the resource.
versionedId String: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

curve string: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
expirationDate string: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
keyOpts string[]: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
keySize number: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
keyType string: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
managedHsmId string: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
name string: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
notBeforeDate string: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
tags {[key: string]: string}: A mapping of tags to assign to the resource.
versionedId string: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

curve str: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
expiration_date str: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
key_opts Sequence[str]: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
key_size int: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
key_type str: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
managed_hsm_id str: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
name str: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
not_before_date str: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
tags Mapping[str, str]: A mapping of tags to assign to the resource.
versioned_id str: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

curve String: Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.
expirationDate String: Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.
keyOpts List<String>: A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey. Please note these values are case-sensitive.
keySize Number: Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.
keyType String: Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.
managedHsmId String: Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.
name String: Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.
notBeforeDate String: Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
Note: Once expiration_date is set, it's not possible to unset the key even if it is deleted & recreated as underlying Azure API uses the restore of the purged key.
tags Map<String>: A mapping of tags to assign to the resource.
versionedId String: The versioned Key Vault Secret Managed Hardware Security Module Key ID.

Import

Key Vault Managed Hardware Security Module Key can be imported using the resource id, e.g.

$ pulumi import azure:keyvault/managedHardwareSecurityModuleKey:ManagedHardwareSecurityModuleKey example https://exampleHSM.managedhsm.azure.net/keys/exampleKey

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Azure Classic pulumi/pulumi-azure
License: Apache-2.0
Notes: This Pulumi package is based on the azurerm Terraform Provider.

We recommend using Azure Native.

Azure v6.21.0 published on Friday, Mar 7, 2025 by Pulumi

pulumi/pulumi-azure

azure.keyvault.ManagedHardwareSecurityModuleKey

On this page

On this page

Create ManagedHardwareSecurityModuleKey Resource

Constructor syntax

Parameters

Constructor example

ManagedHardwareSecurityModuleKey Resource Properties

Inputs

Outputs

Look up Existing ManagedHardwareSecurityModuleKey Resource

Import

Package Details

On this page

On this page