Set up Key Vault for virtual machines using Azure PowerShell

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets

Note

Azure has two different deployment models you can use to create and work with resources: Azure Resource Manager and classic. This article covers the use of the Resource Manager deployment model. We recommend the Resource Manager deployment model for new deployments instead of the classic deployment model.

In Azure Resource Manager stack, secrets/certificates are modeled as resources that are provided by the resource provider of Key Vault. To learn more about Key Vault, see What is Azure Key Vault?

Note

  1. In order for Key Vault to be used with Azure Resource Manager virtual machines, the EnabledForDeployment property on Key Vault must be set to true. You can do this in various clients.
  2. The Key Vault needs to be created in the same subscription and location as the Virtual Machine.

Use PowerShell to set up Key Vault

To create a key vault by using PowerShell, see Set and retrieve a secret from Azure Key Vault using PowerShell.

For new key vaults, you can use this PowerShell cmdlet:

New-AzKeyVault -VaultName 'ContosoKeyVault' -ResourceGroupName 'ContosoResourceGroup' -Location 'China East' -EnabledForDeployment

For existing key vaults, you can use this PowerShell cmdlet:

Set-AzKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -EnabledForDeployment

Use CLI to set up Key Vault

To create a key vault by using the command-line interface (CLI), see Manage Key Vault using CLI.

For CLI, you have to create the key vault before you assign the deployment policy. You can do this by using the following command:

az keyvault create --name "ContosoKeyVault" --resource-group "ContosoResourceGroup" --location "ChinaEast"

Then to enable Key Vault for use with template deployment, run the following command:

az keyvault update --name "ContosoKeyVault" --resource-group "ContosoResourceGroup" --enabled-for-deployment "true"

Use templates to set up Key Vault

While you use a template, you need to set the enabledForDeployment property to true for the Key Vault resource.

{
  "type": "Microsoft.KeyVault/vaults",
  "name": "ContosoKeyVault",
  "apiVersion": "2015-06-01",
  "location": "<location-of-key-vault>",
  "properties": {
    "enabledForDeployment": "true",
    ....
    ....
  }
}

For other options that you can configure when you create a key vault by using templates, see Create a key vault.

Note

Templates you downloaded or referenced from the GitHub Repo "azure-quickstart-templates" must be modified in order to fit in the Microsoft Azure operated by 21Vianet Environment. For example, replace some endpoints -- "blob.core.windows.net" by "blob.core.chinacloudapi.cn", "cloudapp.azure.com" by "chinacloudapp.cn"; change some unsupported Location,VM images, VM sizes, SKU and resource-provider's API Version when necessary.