| title | description | services | author | ms.author | ms.date | ms.topic | ms.service | ms.subservice | tags | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|
Azure Quickstart - Create a Managed HSM using an Azure Resource Manager template |
Quickstart showing how to create Azure an Azure Key Vault Managed HSM using Resource Manager template |
key-vault |
msmbaldwin |
mbaldwin |
02/20/2024 |
quickstart |
key-vault |
managed-hsm |
azure-resource-manager |
subject-armqs, devx-track-arm-template, devx-track-azurecli |
This quickstart describes how to use an Azure Resource Manager template (ARM template) to create an Azure Key Vault managed HSM. Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguards cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs.
[!INCLUDE About Azure Resource Manager]
If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template will open in the Azure portal.
:::image type="content" source="~/reusable-content/ce-skilling/azure/media/template-deployments/deploy-to-azure-button.svg" alt-text="Button to deploy the Resource Manager template to Azure." border="false" link="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.keyvault%2Fmanaged-hsm-create%2Fazuredeploy.json":::
If you don't have an Azure subscription, create a free account before you begin.
[!INCLUDE Azure CLI prepare your environment]
The template used in this quickstart is from Azure Quickstart Templates:
:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.keyvault/managed-hsm-create/azuredeploy.json":::
The Azure resource defined in the template is:
- Microsoft.KeyVault/managedHSMs: Create an Azure Key Vault Managed HSM.
The template requires the object ID associated with your account. To find it, use the Azure CLI az ad user show command, passing your email address to the --id parameter. You can limit the output to the object ID only with the --query parameter.
az ad user show --id <your-email-address> --query "objectId"
You may also need your tenant ID. To find it, use the Azure CLI az ad user show command. You can limit the output to the tenant ID only with the --query parameter.
az account show --query "tenantId"
You can now deploy the ARM template:
-
Select the following image to sign in to Azure and open a template. The template creates a Managed HSM.
:::image type="content" source="~/reusable-content/ce-skilling/azure/media/template-deployments/deploy-to-azure-button.svg" alt-text="Button to deploy the Resource Manager template to Azure." border="false" link="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.keyvault%2Fmanaged-hsm-create%2Fazuredeploy.json":::
-
Select or enter the following values. Unless specified, use the default value to create the Managed HSM.
- Subscription: Select an Azure subscription.
- Resource group: Select Create new, enter "myResourceGroup" as the name, and then select OK.
- Location: Select a location. For example, East US 2.
- managedHSMName: Enter a name for your Managed HSM.
- Tenant ID: The template function automatically retrieves your tenant ID; don't change the default value. If there is no value, enter the Tenant ID that you retrieved above.
- initialAdminObjectIds: Enter the Object ID that you retrieved above.
-
Select Purchase. After the Managed HSM has been deployed successfully, you get a notification:
The Azure portal is used to deploy the template. In addition to the Azure portal, you can also use the Azure PowerShell, Azure CLI, and REST API. To learn other deployment methods, see Deploy templates.
You can verify that the managed HSM was created with the Azure CLI az keyvault list command. You will find the output easier to read if you format the results as a table:
az keyvault list -o table
You should see the name of your newly created managed HSM.
[!INCLUDE Delete resource group]
Warning
Deleting the resource group puts the Managed HSM into a soft-deleted state. The Managed HSM will continue to be billed until it is purged. See Managed HSM soft-delete and purge protection
In this quickstart, you created a Managed HSM. This Managed HSM will not be fully functional until it is activated. See Activate your Managed HSM to learn how to activate your HSM.
- Read an Overview of Managed HSM
- Learn about Managing keys in a Managed HSM
- Review Managed HSM best practices