Quickstart: Create a Managed HSM using an ARM template
This quickstart describes how to use an Azure Resource Manager template (ARM template) to create an Azure Key Vault managed HSM. Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguards cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs.
An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.
If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template will open in the Azure portal.
Prerequisites
If you don't have an Azure subscription, create a trial subscription before you begin.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
Review the template
The template used in this quickstart is from Azure Quickstart Templates:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "9933229425431379390"
}
},
"parameters": {
"managedHSMName": {
"type": "string",
"metadata": {
"description": "String specifying the name of the managed HSM."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "String specifying the Azure location where the managed HSM should be created."
}
},
"initialAdminObjectIds": {
"type": "array",
"metadata": {
"description": "Array specifying the objectIDs associated with a list of initial administrators."
}
},
"tenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]",
"metadata": {
"description": "String specifying the Azure Active Directory tenant ID that should be used for authenticating requests to the managed HSM."
}
},
"softRetentionInDays": {
"type": "int",
"defaultValue": 7,
"maxValue": 90,
"minValue": 7,
"metadata": {
"description": "Specifies the number of days that managed Key Vault will be kept recoverable if deleted. If you do not want to have soft delete enabled, set value to 0."
}
}
},
"resources": [
{
"type": "Microsoft.KeyVault/managedHSMs",
"apiVersion": "2021-04-01-preview",
"name": "[parameters('managedHSMName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_B1",
"family": "B"
},
"properties": {
"enableSoftDelete": "[greater(parameters('softRetentionInDays'), 0)]",
"softDeleteRetentionInDays": "[if(equals(parameters('softRetentionInDays'), 0), null(), parameters('softRetentionInDays'))]",
"enablePurgeProtection": false,
"tenantId": "[parameters('tenantId')]",
"initialAdminObjectIds": "[parameters('initialAdminObjectIds')]",
"publicNetworkAccess": "Enabled",
"networkAcls": {
"bypass": "None",
"defaultAction": "Allow"
}
}
}
]
}
The Azure resource defined in the template is:
- Microsoft.KeyVault/managedHSMs: Create an Azure Key Vault Managed HSM.
Deploy the template
The template requires the object ID associated with your account. To find it, use the Azure CLI az ad user show command, passing your email address to the --id
parameter. You can limit the output to the object ID only with the --query
parameter.
az ad user show --id <your-email-address> --query "objectId"
You may also need your tenant ID. To find it, use the Azure CLI az ad user show command. You can limit the output to the tenant ID only with the --query
parameter.
az account show --query "tenantId"
You can now deploy the ARM template:
Select the following image to sign in to Azure and open a template. The template creates a Managed HSM.
Select or enter the following values. Unless specified, use the default value to create the Managed HSM.
- Subscription: Select an Azure subscription.
- Resource group: Select Create new, enter "myResourceGroup" as the name, and then select OK.
- Location: Select a location. For example, China East 2.
- managedHSMName: Enter a name for your Managed HSM.
- Tenant ID: The template function automatically retrieves your tenant ID; don't change the default value. If there's no value, enter the Tenant ID that you retrieved above.
- initialAdminObjectIds: Enter the Object ID that you retrieved above.
Select Purchase. After the Managed HSM has been deployed successfully, you get a notification:
The Azure portal is used to deploy the template. In addition to the Azure portal, you can also use the Azure PowerShell, Azure CLI, and REST API. To learn other deployment methods, see Deploy templates.
Validate the deployment
You can verify that the managed HSM was created with the Azure CLI az keyvault list command. You'll find the output easier to read if you format the results as a table:
az keyvault list -o table
You should see the name of your newly created managed HSM.
Clean up resources
Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave these resources in place.
When no longer needed, you can use the Azure CLI az group delete command to remove the resource group and all related resources:
az group delete --name "myResourceGroup"
Warning
Deleting the resource group puts the Managed HSM into a soft-deleted state. The Managed HSM will continue to be billed until it's purged. See Managed HSM soft-delete and purge protection
Next steps
In this quickstart, you created a Managed HSM. This Managed HSM won't be fully functional until it's activated. See Activate your Managed HSM to learn how to activate your HSM.
- Read an Overview of Managed HSM
- Learn about Managing keys in a Managed HSM
- Review Managed HSM best practices