Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Key Vault enables Microsoft Azure applications and users to store and use several types of secret and key data: keys, secrets, and certificates. Keys, secrets, and certificates are collectively referred to as "objects."
Object identifiers
Key Vault uniquely identifies objects by using a case-insensitive identifier called the object identifier. No two objects in the system have the same identifier, regardless of geographic location. The identifier consists of a prefix that identifies the key vault, object type, user-provided object name, and an object version. Identifiers that don't include the object version are referred to as "base identifiers." Key Vault object identifiers are also valid URLs, but always compare them as case-insensitive strings.
For more information, see Authentication, requests, and responses.
An object identifier has the following general format (depending on container type):
For Vaults:
https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}For Managed HSM pools:
https://{hsm-name}.managedhsm.azure.net/{object-type}/{object-name}/{object-version}
Note
See Object type support for types of objects supported by each container type.
Where:
| Element | Description |
|---|---|
vault-name or hsm-name |
The name for a key vault or a Managed HSM pool in the Microsoft Azure Key Vault service. Users select vault names and Managed HSM pool names, which are globally unique. Vault name and Managed HSM pool name must be a 3-24 character string, containing only 0-9, a-z, A-Z, and not consecutive -. |
object-type |
The type of the object, "keys", "secrets", or "certificates". |
object-name |
An object-name is a user provided name for and must be unique within a key vault. The name must be a 1-127 character string, containing only 0-9, a-z, A-Z, and -. |
object-version |
An object-version is a system-generated, 32 character string identifier that is optionally used to address a unique version of an object. |
DNS suffixes for object identifiers
The Azure Key Vault resource provider supports two resource types: vaults and managed HSMs. This table shows the DNS suffix used by the data-plane endpoint for vaults and managed HSMs in various cloud environments.
| Cloud environment | DNS suffix for vaults | DNS suffix for managed HSMs |
|---|---|---|
| Azure Cloud | .vault.azure.net | .managedhsm.azure.net |
| Microsoft Azure operated by 21Vianet Cloud | .vault.azure.cn | .managedhsm.azure.cn |
| Azure US Government | .vault.usgovcloudapi.net | .managedhsm.usgovcloudapi.net |
Object types
This table shows object types and their suffixes in the object identifier.
| Object type | Identifier Suffix | Vaults | Managed HSM Pools |
|---|---|---|---|
| Cryptographic keys | |||
| HSM-protected keys | /keys | Supported | Supported |
| Software-protected keys | /keys | Supported | Not supported |
| Other object types | |||
| Secrets | /secrets | Supported | Not supported |
| Certificates | /certificates | Supported | Not supported |
| Storage account keys | /storage | Supported | Not supported |
- Cryptographic keys: Supports multiple key types and algorithms, and enables the use of software-protected and HSM-protected keys. For more information, see About keys.
- Secrets: Provides secure storage of secrets, such as passwords and database connection strings. For more information, see About secrets.
- Certificates: Supports certificates, which are built on top of keys and secrets and add an automated renewal feature. When you create a certificate, the process also creates an addressable key and secret with the same name. For more information, see About certificates.
- Azure Storage account keys: Can manage keys of an Azure Storage account for you. Internally, Key Vault can list (sync) keys with an Azure Storage Account, and regenerate (rotate) the keys periodically. For more information, see Manage storage account keys with Key Vault.
For more general information about Key Vault, see About Azure Key Vault. For more information about Managed HSM pools, see What is Azure Key Vault Managed HSM?
Data types
Refer to the JOSE specifications for relevant data types for keys, encryption, and signing.
- algorithm - a supported algorithm for a key operation, such as RSA_OAEP_256
- ciphertext-value - cipher text octets, encoded by using Base64URL
- digest-value - the output of a hash algorithm, encoded by using Base64URL
- key-type - one of the supported key types, such as RSA (Rivest-Shamir-Adleman).
- plaintext-value - plaintext octets, encoded by using Base64URL
- signature-value - output of a signature algorithm, encoded by using Base64URL
- base64URL - a Base64URL [RFC4648] encoded binary value
- boolean - either true or false
- Identity - an identity from Microsoft Entra ID.
- IntDate - a JSON decimal value representing the number of seconds from 1970-01-01T0:0:0Z UTC until the specified UTC date/time. See RFC3339 for details regarding date/times, in general and UTC in particular.
Objects, identifiers, and versioning
Key Vault versions objects whenever you create a new instance of an object. Each version has a unique object identifier. When you create an object, you give it a unique version identifier and make it the current version of the object. When you create a new instance with the same object name, you give the new object a unique version identifier and make it the current version.
You can retrieve objects in Key Vault by specifying a version or by omitting the version to get the latest version of the object. To perform operations on objects, you need to provide the version to use a specific version of the object.
Note
The service might copy the values you provide for Azure resources or object IDs globally. Don't include personally identifiable or sensitive information in the value you provide.