{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://schema.api.gov/azure/key-vault/secret-bundle", "title": "Azure Key Vault Secret Bundle", "description": "A secret consisting of a value, id and its attributes as returned by the Azure Key Vault data plane API. Based on the SecretBundle definition from the Azure Key Vault REST API reference at https://learn.microsoft.com/en-us/rest/api/keyvault/secrets.", "type": "object", "properties": { "value": { "type": "string", "description": "The secret value." }, "id": { "type": "string", "format": "uri", "description": "The secret id. The format is https://{vault-name}.vault.azure.net/secrets/{secret-name}/{secret-version}.", "examples": [ "https://myvault.vault.azure.net/secrets/mysecret/4387e9f3d6e14c459867679a90fd0f79" ] }, "contentType": { "type": "string", "description": "The content type of the secret (e.g., 'application/x-pkcs12', 'text/plain', 'application/json').", "examples": [ "text/plain", "application/x-pkcs12", "application/x-pem-file" ] }, "attributes": { "$ref": "#/$defs/SecretAttributes" }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Application specific metadata in the form of key-value pairs." }, "kid": { "type": "string", "format": "uri", "description": "If this is a secret backing a KV certificate, then this field specifies the corresponding key backing the KV certificate.", "readOnly": true }, "managed": { "type": "boolean", "description": "True if the secret's lifetime is managed by key vault. If this is a secret backing a certificate, then managed will be true.", "readOnly": true } }, "required": [ "id" ], "$defs": { "SecretAttributes": { "title": "Secret Attributes", "description": "The secret management attributes.", "type": "object", "properties": { "enabled": { "type": "boolean", "description": "Determines whether the object is enabled.", "default": true }, "nbf": { "type": "integer", "description": "Not before date in UTC, encoded as a Unix timestamp (seconds since 1970-01-01T00:00:00Z). The secret is not usable before this time." }, "exp": { "type": "integer", "description": "Expiry date in UTC, encoded as a Unix timestamp (seconds since 1970-01-01T00:00:00Z). The secret is not usable after this time." }, "created": { "type": "integer", "description": "Creation time in UTC, encoded as a Unix timestamp.", "readOnly": true }, "updated": { "type": "integer", "description": "Last updated time in UTC, encoded as a Unix timestamp.", "readOnly": true }, "recoveryLevel": { "$ref": "#/$defs/DeletionRecoveryLevel" }, "recoverableDays": { "type": "integer", "minimum": 0, "maximum": 90, "description": "softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0.", "readOnly": true } } }, "DeletionRecoveryLevel": { "title": "Deletion Recovery Level", "description": "Reflects the deletion recovery level currently in effect for secrets in the current vault. If it contains 'Purgeable', the secret can be permanently deleted by a privileged user; otherwise, only the system can purge the secret at the end of the retention interval.", "type": "string", "enum": [ "Purgeable", "Recoverable+Purgeable", "Recoverable", "Recoverable+ProtectedSubscription", "CustomizedRecoverable+Purgeable", "CustomizedRecoverable", "CustomizedRecoverable+ProtectedSubscription" ] }, "SecretSetParameters": { "title": "Secret Set Parameters", "description": "The request body for creating or updating a secret via PUT /secrets/{secret-name}.", "type": "object", "required": [ "value" ], "properties": { "value": { "type": "string", "description": "The value of the secret." }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Application specific metadata in the form of key-value pairs." }, "contentType": { "type": "string", "description": "Type of the secret value such as a password." }, "attributes": { "$ref": "#/$defs/SecretAttributes" } } }, "SecretUpdateParameters": { "title": "Secret Update Parameters", "description": "The request body for updating secret attributes via PATCH /secrets/{secret-name}/{secret-version}.", "type": "object", "properties": { "contentType": { "type": "string", "description": "Type of the secret value such as a password." }, "attributes": { "$ref": "#/$defs/SecretAttributes" }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Application specific metadata in the form of key-value pairs." } } }, "SecretItem": { "title": "Secret Item", "description": "The secret item containing secret metadata, as returned in list operations.", "type": "object", "properties": { "id": { "type": "string", "format": "uri", "description": "Secret identifier." }, "attributes": { "$ref": "#/$defs/SecretAttributes" }, "tags": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Application specific metadata in the form of key-value pairs." }, "contentType": { "type": "string", "description": "Type of the secret value such as a password." }, "managed": { "type": "boolean", "description": "True if the secret's lifetime is managed by key vault.", "readOnly": true } } }, "SecretListResult": { "title": "Secret List Result", "description": "The secret list result returned by GET /secrets.", "type": "object", "properties": { "value": { "type": "array", "items": { "$ref": "#/$defs/SecretItem" }, "description": "A list of secrets.", "readOnly": true }, "nextLink": { "type": "string", "format": "uri", "description": "The URL to get the next set of secrets.", "readOnly": true } } }, "DeletedSecretBundle": { "title": "Deleted Secret Bundle", "description": "A deleted secret consisting of its previous id, attributes, tags, and deletion information.", "type": "object", "allOf": [ { "$ref": "#" } ], "properties": { "recoveryId": { "type": "string", "format": "uri", "description": "The url of the recovery object, used to identify and recover the deleted secret." }, "scheduledPurgeDate": { "type": "integer", "description": "The time when the secret is scheduled to be purged, in UTC, encoded as a Unix timestamp.", "readOnly": true }, "deletedDate": { "type": "integer", "description": "The time when the secret was deleted, in UTC, encoded as a Unix timestamp.", "readOnly": true } } }, "KeyVaultError": { "title": "Key Vault Error", "description": "The key vault error exception.", "type": "object", "properties": { "error": { "type": "object", "description": "The key vault server error.", "properties": { "code": { "type": "string", "description": "The error code.", "readOnly": true }, "message": { "type": "string", "description": "The error message.", "readOnly": true }, "innererror": { "type": "object", "description": "The key vault server inner error (recursive).", "readOnly": true } }, "readOnly": true } }, "readOnly": true } }, "examples": [ { "value": "mysecretvalue", "id": "https://myvault.vault.azure.net/secrets/mysecret/4387e9f3d6e14c459867679a90fd0f79", "attributes": { "enabled": true, "created": 1493938410, "updated": 1493938410, "recoveryLevel": "Recoverable+Purgeable" } } ] }