documenting

2019-04-05 15:22:08 +11:00 · 2019-04-05 15:22:08 +11:00 · 226db76131
--- a/R/add_methods.R
+++ b/R/add_methods.R
@ -1,3 +1,140 @@
+# documentation is separate from implementation because roxygen still doesn't know how to handle R6
+
+#' Create Azure key vault
+#'
+#' Method for the [AzureRMR::az_resource_group] class.
+#'
+#' @rdname create_key_vault
+#' @name create_key_vault
+#' @aliases create_key_vault
+#' @section Usage:
+#' ```
+#' create_key_vault(name, location = self$location, initial_access = default_access(),
+#'                  sku = "Standard", ..., wait = TRUE)
+#' ```
+#' @section Arguments:
+#' - `name`: The name of the key vault.
+#' - `location`: The location/region in which to create the account. Defaults to the resource group location.
+#' - `initial_access`: The user or service principals that will have access to the vault. This should be a list of objects of type `[vault_access_policy]`, created by the function of the same name. The default is to grant access to the logged-in user or service principal of the current Resource Manager client.
+#' - `sku`: The sku for the vault. Set this to "Premium" to enable the use of hardware security modules (HSMs).
+#' - `...`: Other named arguments to pass to the [az_storage] initialization function.
+#' - `wait`: Whether to wait for the resource creation to complete before returning.
+#'
+#' @section Details:
+#' This method deploys a new key vault resource, with parameters given by the arguments. A key vault is a secure facility for storing and managing encryption keys, certificates, storage account keys, and generic secrets.
+#'
+#' A new key vault will have access granted to the user or service principal used to sign in to the Azure Resource Manager client. To manage access policies after creation, use the `add_principal`, `list_principals` and `remove_principal` methods of the key vault object.
+#'
+#' @section Value:
+#' An object of class `az_key_vault` representing the created key vault.
+#'
+#' @seealso
+#' [get_key_vault], [delete_key_vault], [az_key_vault], [vault_access_policy]
+#'
+#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
+#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
+#'
+#' @examples
+#' \dontrun{
+#'
+#' rg <- AzureRMR::get_azure_login()$
+#'     get_subscription("subscription_id")$
+#'     get_resource_group("rgname")
+#'
+#' # create a new key vault
+#' rg$create_key_vault("mykeyvault")
+#'
+#' # create a new key vault, and grant access to a service principal
+#' gr <- AzureGraph::get_graph_login()
+#' svc <- gr$get_service_principal("app_id")
+#' rg$create_key_vault("mykeyvault",
+#'     initial_access=list(vault_access_policy(svc, tenant=NULL)))
+#'
+#' }
+NULL
+
+
+#' Get existing Azure Key Vault
+#'
+#' Methods for the [AzureRMR::az_resource_group] class.
+#'
+#' @rdname get_key_vault
+#' @name get_key_vault
+#' @aliases get_key_vault list_key_vaults
+#'
+#' @section Usage:
+#' ```
+#' get_key_vault(name)
+#' list_key_vaults()
+#' ```
+#' @section Arguments:
+#' - `name`: For `get_key_vault()`, the name of the key vault.
+#'
+#' @section Value:
+#' For `get_key_vault()`, an object of class `az_key_vault` representing the vault.
+#'
+#' For `list_key_vaults()`, a list of such objects.
+#'
+#' @seealso
+#' [create_key_vault], [delete_key_vault], [az_key_vault]
+#'
+#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
+#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
+#'
+#' @examples
+#' \dontrun{
+#'
+#' rg <- AzureRMR::get_azure_login()$
+#'     get_subscription("subscription_id")$
+#'     get_resource_group("rgname")
+#'
+#' rg$list_key_vaults()
+#'
+#' rg$get_key_vault("mykeyvault")
+#'
+#' }
+NULL
+
+
+#' Delete an Azure Key Vault
+#'
+#' Method for the [AzureRMR::az_resource_group] class.
+#'
+#' @rdname delete_key_vault
+#' @name delete_key_vault
+#' @aliases delete_key_vault
+#'
+#' @section Usage:
+#' ```
+#' delete_key_vault(name, confirm=TRUE, wait=FALSE)
+#' ```
+#' @section Arguments:
+#' - `name`: The name of the key vault.
+#' - `confirm`: Whether to ask for confirmation before deleting.
+#' - `wait`: Whether to wait until the deletion is complete.
+#'
+#' @section Value:
+#' NULL on successful deletion.
+#'
+#' @seealso
+#' [create_key_vault], [get_key_vault], [az_key_vault],
+#'
+#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
+#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
+#'
+#' @examples
+#' \dontrun{
+#'
+#' rg <- AzureRMR::get_azure_login()$
+#'     get_subscription("subscription_id")$
+#'     get_resource_group("rgname")
+#'
+#' rg$delete_key_vault("mykeyvault")
+#'
+#' }
+NULL
+
+
 add_methods <- function()
 {
    ## extending AzureRMR classes
@ -47,4 +184,24 @@ add_methods <- function()
    {
        self$get_key_vault(name)$delete(confirm=confirm, wait=wait)
    })
+
+    
+    AzureRMR::az_resource_group$set("public", "list_key_vaults", overwrite=TRUE,
+    function()
+    {
+        api_version <- az_subscription$
+            new(self$token, self$subscription)$
+            get_provider_api_version("Microsoft.KeyVault", "vaults")
+
+        lst <- private$rg_op("providers/Microsoft.KeyVault/vaults", api_version=api_version)
+        res <- lst$value
+        while(!is_empty(lst$nextLink))
+        {
+            lst <- call_azure_url(self$token, lst$nextLink)
+            res <- c(res, lst$value)
+        }
+
+        named_list(lapply(res, function(parms)
+            AzureKeyVault::az_key_vault$new(self$token, self$subscription, deployed_properties=parms)))
+    })
 }
--- a/R/az_vault.R
+++ b/R/az_vault.R
@ -1,3 +1,99 @@
+#' Key vault resource class
+#'
+#' Class representing a key vault, exposing methods for working with it.
+#'
+#' @docType class
+#' @section Methods:
+#' The following methods are available, in addition to those provided by the [AzureRMR::az_resource] class:
+#' - `new(...)`: Initialize a new key vault object. See 'Initialization'.
+#' - `add_principal(principal, ...)`: Add an access policy for a user or service principal. See 'Access policies' below.
+#' - `get_principal(principal)`: Retrieve an access policy for a user or service principal.
+#' - `remove_principal(principal)`: Remove access for a user or service principal.
+#' - `get_endpoint()`: Return the vault endpoint. See 'Endpoint' below.
+#'
+#' @section Initialization:
+#' Initializing a new object of this class can either retrieve an existing key vault, or create a new vault on the host. The recommended way to initialize an object is via the `get_key_vault`, `create_key_vault` or `list_key_vaults` methods of the [az_resource_group] class, which handle the details automatically.
+#'
+#' @section Access policies:
+#' Client access to a key vault is governed by its access policies, which are set on a per-principal basis. Each principal (user or service) can have different permissions granted, for keys, secrets, certificates, and storage accounts. 
+#'
+#' To grant access, use the `add_principal` method. This has signature
+#'
+#' ```
+#' add_principal(principal, tenant = NULL,
+#'               key_permissions = "all",
+#'               secret_permissions = "all",
+#'               certificate_permissions = "all",
+#'               storage_permissions = "all")
+#'```
+#' The `principal` can be a GUID, an object of class `vault_access_policy`, or a user, app or service principal object from the AzureGraph package. Note that the app ID of a registered app is not the same as the ID of its service principal.
+#'
+#' The tenant must be a GUID; if this is NULL, it will be taken from the tenant of the key vault resource.
+#'
+#' Here are the possible permissions for keys, secrets, certificates, and storage accounts. The permission "all" means to grant all permissions.
+#' - Keys: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "decrypt", "encrypt", "unwrapkey", "wrapkey", "verify", "sign", "purge"
+#' - Secrets: "get", "list", "set", "delete", "recover", "backup", "restore", "purge"
+#' - Certificates: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "managecontacts", "manageissuers", "getissuers", "listissuers", "setissuers", "deleteissuers", "purge"
+#' - Storage accounts: "get", "list", "update", "set", "delete", "recover", "backup", "restore", "regeneratekey", "getsas", "listsas", "setsas", "deletesas", "purge"
+#'
+#' To revoke access, use the `remove_principal` method. To view the current access policy, use `get_principal` or `list_principals`.
+#'
+#' @section Endpoint:
+#' The client-side interaction with a key vault is via its _endpoint_, which is usually at the URL `https://[vaultname].vault.azure.net`. The `get_endpoint` method returns an R6 object of class `key_vault`, which represents the endpoint. Authenticating with the endpoint is done via an OAuth token; the necessary credentials are taken from the current Resource Manager client in use, or you can supply your own.
+#'
+#' ```
+#' get_endpoint(tenant = self$token$tenant,
+#'              app = self$token$client$client_id,
+#'              password = self$token$client$client_secret, ...)
+#'```
+#' To access the key vault independently of Resource Manager (for example if you are a user without admin or owner access to the vault resource), use the [key_vault] function.
+#'
+#' @seealso
+#' [vault_access_policy], [key_vault]
+#' [create_key_vault], [get_key_vault], [delete_key_vault],
+#' [AzureGraph::get_graph_login], [AzureGraph::az_user], [AzureGraph::az_app], [AzureGraph::az_service_principal]
+#'
+#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
+#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
+#'
+#' @examples
+#' \dontrun{
+#'
+#' # recommended way of retrieving a resource: via a resource group object
+#' kv <- resgroup$get_key_vault("mykeyvault")
+#'
+#' # list principals that have access to the vault
+#' kv$list_principals()
+#'
+#' # grant a user full access (the default)
+#' usr <- AzureGraph::get_graph_login()$
+#'     get_user("username@aadtenant.com")
+#' kv$add_principal(usr)
+#'
+#' # grant a service principal read access to keys and secrets only
+#' svc <- AzureGraph::get_graph_login()$
+#'     get_service_principal(app_id="app_id")
+#' kv$add_principal(svc,
+#'     key_permissions=c("get", "list"),
+#'     secret_permissions=c("get", "list"),
+#'     certificate_permissions=NULL,
+#'     storage_permissions=NULL)
+#
+#' # alternatively, supply a vault_access_policy with the listed permissions
+#' pol <- vault_access_policy(svc,
+#'     key_permissions=c("get", "list"),
+#'     secret_permissions=c("get", "list"),
+#'     certificate_permissions=NULL,
+#'     storage_permissions=NULL)
+#' kv$add_principal(pol)
+#'
+#' # revoke access
+#' kv$remove_access(svc)
+#'
+#' # get the endpoint object
+#' vault <- kv$get_endpoint()
+#'
+#' }
 #' @export
 az_key_vault=R6::R6Class("az_key_vault", inherit=AzureRMR::az_resource,

@ -72,6 +168,53 @@ public=list(
 ))


+#' Specify a key vault access policy
+#'
+#' @param principal The user or service principal for this access policy. Can be a GUID, or a user, app or service principal object from the AzureGraph package.
+#' @param tenant The tenant of the principal.
+#' @param key_permissions The permissions to grant for working with keys.
+#' @param secret_permissions The permissions to grant for working with secrets.
+#' @param certificate_permissions The permissions to grant for working with certificates.
+#' @param storage_permissions The permissions to grant for working with storage accounts.
+#'
+#' @details
+#' Client access to a key vault is governed by its access policies, which are set on a per-principal basis. Each principal (user or service) can have different permissions granted, for keys, secrets, certificates, and storage accounts. 
+#'
+#' Here are the possible permissions. The permission "all" means to grant all permissions.
+#' - Keys: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "decrypt", "encrypt", "unwrapkey", "wrapkey", "verify", "sign", "purge"
+#' - Secrets: "get", "list", "set", "delete", "recover", "backup", "restore", "purge"
+#' - Certificates: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "managecontacts", "manageissuers", "getissuers", "listissuers", "setissuers", "deleteissuers", "purge"
+#' - Storage accounts: "get", "list", "update", "set", "delete", "recover", "backup", "restore", "regeneratekey", "getsas", "listsas", "setsas", "deletesas", "purge"
+#'
+#' @return
+#' An object of class `vault_access_policy`, suitable for creating a key vault resource.
+#'
+#' @seealso
+#' [create_key_vault], [az_key_vault]
+#'
+#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
+#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
+#'
+#' @examples
+#' \dontrun{
+#'
+#' # default is to grant full access
+#' vault_access_policy("user_id")
+#'
+#' # use AzureGraph to specify a user via their email address rather than a GUID
+#' usr <- AzureGraph::get_graph_login()$get_user("username@aadtenant.com")
+#' vault_access_policy(usr)
+#'
+#' # grant a service principal read access to keys and secrets only
+#' svc <- AzureGraph::get_graph_login()$
+#'     get_service_principal(app_id="app_id")
+#' vault_access_policy(svc,
+#'     key_permissions=c("get", "list"),
+#'     secret_permissions=c("get", "list"),
+#'     certificate_permissions=NULL,
+#'     storage_permissions=NULL)
+#' 
+#' }
 #' @export
 vault_access_policy <- function(principal, tenant=NULL,
                                key_permissions="all",
@ -125,6 +268,8 @@ find_principal=function(principal)
        principal$properties$id
    else if(is_app(principal))
        principal$get_service_principal()$properties$id
+    else if(inherits(principal, "vault_access_policy"))
+        principal$objectId
    else if(!is_guid(principal))
        stop("Must supply a valid principal ID or object", call.=FALSE)
    else AzureAuth::normalize_guid(principal)
--- a/man/az_key_vault.Rd
+++ b/man/az_key_vault.Rd
@ -0,0 +1,113 @@
+% Generated by roxygen2: do not edit by hand
+% Please edit documentation in R/az_vault.R
+\docType{class}
+\name{az_key_vault}
+\alias{az_key_vault}
+\title{Key vault resource class}
+\format{An object of class \code{R6ClassGenerator} of length 24.}
+\usage{
+az_key_vault
+}
+\description{
+Class representing a key vault, exposing methods for working with it.
+}
+\section{Methods}{
+
+The following methods are available, in addition to those provided by the \link[AzureRMR:az_resource]{AzureRMR::az_resource} class:
+\itemize{
+\item \code{new(...)}: Initialize a new key vault object. See 'Initialization'.
+\item \code{add_principal(principal, ...)}: Add an access policy for a user or service principal. See 'Access policies' below.
+\item \code{get_principal(principal)}: Retrieve an access policy for a user or service principal.
+\item \code{remove_principal(principal)}: Remove access for a user or service principal.
+\item \code{get_endpoint()}: Return the vault endpoint. See 'Endpoint' below.
+}
+}
+
+\section{Initialization}{
+
+Initializing a new object of this class can either retrieve an existing key vault, or create a new vault on the host. The recommended way to initialize an object is via the \code{get_key_vault}, \code{create_key_vault} or \code{list_key_vaults} methods of the \link{az_resource_group} class, which handle the details automatically.
+}
+
+\section{Access policies}{
+
+Client access to a key vault is governed by its access policies, which are set on a per-principal basis. Each principal (user or service) can have different permissions granted, for keys, secrets, certificates, and storage accounts.
+
+To grant access, use the \code{add_principal} method. This has signature\preformatted{add_principal(principal, tenant = NULL,
+              key_permissions = "all",
+              secret_permissions = "all",
+              certificate_permissions = "all",
+              storage_permissions = "all")
+}
+
+The \code{principal} can be a GUID, an object of class \code{vault_access_policy}, or a user, app or service principal object from the AzureGraph package. Note that the app ID of a registered app is not the same as the ID of its service principal.
+
+The tenant must be a GUID; if this is NULL, it will be taken from the tenant of the key vault resource.
+
+Here are the possible permissions for keys, secrets, certificates, and storage accounts. The permission "all" means to grant all permissions.
+\itemize{
+\item Keys: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "decrypt", "encrypt", "unwrapkey", "wrapkey", "verify", "sign", "purge"
+\item Secrets: "get", "list", "set", "delete", "recover", "backup", "restore", "purge"
+\item Certificates: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "managecontacts", "manageissuers", "getissuers", "listissuers", "setissuers", "deleteissuers", "purge"
+\item Storage accounts: "get", "list", "update", "set", "delete", "recover", "backup", "restore", "regeneratekey", "getsas", "listsas", "setsas", "deletesas", "purge"
+}
+
+To revoke access, use the \code{remove_principal} method. To view the current access policy, use \code{get_principal} or \code{list_principals}.
+}
+
+\section{Endpoint}{
+
+The client-side interaction with a key vault is via its \emph{endpoint}, which is usually at the URL \code{https://[vaultname].vault.azure.net}. The \code{get_endpoint} method returns an R6 object of class \code{key_vault}, which represents the endpoint. Authenticating with the endpoint is done via an OAuth token; the necessary credentials are taken from the current Resource Manager client in use, or you can supply your own.\preformatted{get_endpoint(tenant = self$token$tenant,
+             app = self$token$client$client_id,
+             password = self$token$client$client_secret, ...)
+}
+
+To access the key vault independently of Resource Manager (for example if you are a user without admin or owner access to the vault resource), use the \link{key_vault} function.
+}
+
+\examples{
+\dontrun{
+
+# recommended way of retrieving a resource: via a resource group object
+kv <- resgroup$get_key_vault("mykeyvault")
+
+# list principals that have access to the vault
+kv$list_principals()
+
+# grant a user full access (the default)
+usr <- AzureGraph::get_graph_login()$
+    get_user("username@aadtenant.com")
+kv$add_principal(usr)
+
+# grant a service principal read access to keys and secrets only
+svc <- AzureGraph::get_graph_login()$
+    get_service_principal(app_id="app_id")
+kv$add_principal(svc,
+    key_permissions=c("get", "list"),
+    secret_permissions=c("get", "list"),
+    certificate_permissions=NULL,
+    storage_permissions=NULL)
+# alternatively, supply a vault_access_policy with the listed permissions
+pol <- vault_access_policy(svc,
+    key_permissions=c("get", "list"),
+    secret_permissions=c("get", "list"),
+    certificate_permissions=NULL,
+    storage_permissions=NULL)
+kv$add_principal(pol)
+
+# revoke access
+kv$remove_access(svc)
+
+# get the endpoint object
+vault <- kv$get_endpoint()
+
+}
+}
+\seealso{
+\link{vault_access_policy}, \link{key_vault}
+\link{create_key_vault}, \link{get_key_vault}, \link{delete_key_vault},
+\link[AzureGraph:get_graph_login]{AzureGraph::get_graph_login}, \link[AzureGraph:az_user]{AzureGraph::az_user}, \link[AzureGraph:az_app]{AzureGraph::az_app}, \link[AzureGraph:az_service_principal]{AzureGraph::az_service_principal}
+
+\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
+\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
+}
+\keyword{datasets}
--- a/man/create_key_vault.Rd
+++ b/man/create_key_vault.Rd
@ -0,0 +1,62 @@
+% Generated by roxygen2: do not edit by hand
+% Please edit documentation in R/add_methods.R
+\name{create_key_vault}
+\alias{create_key_vault}
+\title{Create Azure key vault}
+\description{
+Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
+}
+\section{Usage}{
+\preformatted{create_key_vault(name, location = self$location, initial_access = default_access(),
+                 sku = "Standard", ..., wait = TRUE)
+}
+}
+
+\section{Arguments}{
+
+\itemize{
+\item \code{name}: The name of the key vault.
+\item \code{location}: The location/region in which to create the account. Defaults to the resource group location.
+\item \code{initial_access}: The user or service principals that will have access to the vault. This should be a list of objects of type \code{[vault_access_policy]}, created by the function of the same name. The default is to grant access to the logged-in user or service principal of the current Resource Manager client.
+\item \code{sku}: The sku for the vault. Set this to "Premium" to enable the use of hardware security modules (HSMs).
+\item \code{...}: Other named arguments to pass to the \link{az_storage} initialization function.
+\item \code{wait}: Whether to wait for the resource creation to complete before returning.
+}
+}
+
+\section{Details}{
+
+This method deploys a new key vault resource, with parameters given by the arguments. A key vault is a secure facility for storing and managing encryption keys, certificates, storage account keys, and generic secrets.
+
+A new key vault will have access granted to the user or service principal used to sign in to the Azure Resource Manager client. To manage access policies after creation, use the \code{add_principal}, \code{list_principals} and \code{remove_principal} methods of the key vault object.
+}
+
+\section{Value}{
+
+An object of class \code{az_key_vault} representing the created key vault.
+}
+
+\examples{
+\dontrun{
+
+rg <- AzureRMR::get_azure_login()$
+    get_subscription("subscription_id")$
+    get_resource_group("rgname")
+
+# create a new key vault
+rg$create_key_vault("mykeyvault")
+
+# create a new key vault, and grant access to a service principal
+gr <- AzureGraph::get_graph_login()
+svc <- gr$get_service_principal("app_id")
+rg$create_key_vault("mykeyvault",
+    initial_access=list(vault_access_policy(svc, tenant=NULL)))
+
+}
+}
+\seealso{
+\link{get_key_vault}, \link{delete_key_vault}, \link{az_key_vault}, \link{vault_access_policy}
+
+\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
+\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
+}
--- a/man/delete_key_vault.Rd
+++ b/man/delete_key_vault.Rd
@ -0,0 +1,44 @@
+% Generated by roxygen2: do not edit by hand
+% Please edit documentation in R/add_methods.R
+\name{delete_key_vault}
+\alias{delete_key_vault}
+\title{Delete an Azure Key Vault}
+\description{
+Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
+}
+\section{Usage}{
+\preformatted{delete_key_vault(name, confirm=TRUE, wait=FALSE)
+}
+}
+
+\section{Arguments}{
+
+\itemize{
+\item \code{name}: The name of the key vault.
+\item \code{confirm}: Whether to ask for confirmation before deleting.
+\item \code{wait}: Whether to wait until the deletion is complete.
+}
+}
+
+\section{Value}{
+
+NULL on successful deletion.
+}
+
+\examples{
+\dontrun{
+
+rg <- AzureRMR::get_azure_login()$
+    get_subscription("subscription_id")$
+    get_resource_group("rgname")
+
+rg$delete_key_vault("mykeyvault")
+
+}
+}
+\seealso{
+\link{create_key_vault}, \link{get_key_vault}, \link{az_key_vault},
+
+\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
+\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
+}
--- a/man/get_key_vault.Rd
+++ b/man/get_key_vault.Rd
@ -0,0 +1,48 @@
+% Generated by roxygen2: do not edit by hand
+% Please edit documentation in R/add_methods.R
+\name{get_key_vault}
+\alias{get_key_vault}
+\alias{list_key_vaults}
+\title{Get existing Azure Key Vault}
+\description{
+Methods for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
+}
+\section{Usage}{
+\preformatted{get_key_vault(name)
+list_key_vaults()
+}
+}
+
+\section{Arguments}{
+
+\itemize{
+\item \code{name}: For \code{get_key_vault()}, the name of the key vault.
+}
+}
+
+\section{Value}{
+
+For \code{get_key_vault()}, an object of class \code{az_key_vault} representing the vault.
+
+For \code{list_key_vaults()}, a list of such objects.
+}
+
+\examples{
+\dontrun{
+
+rg <- AzureRMR::get_azure_login()$
+    get_subscription("subscription_id")$
+    get_resource_group("rgname")
+
+rg$list_key_vaults()
+
+rg$get_key_vault("mykeyvault")
+
+}
+}
+\seealso{
+\link{create_key_vault}, \link{delete_key_vault}, \link{az_key_vault}
+
+\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
+\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
+}
--- a/man/vault_access_policy.Rd
+++ b/man/vault_access_policy.Rd
@ -0,0 +1,67 @@
+% Generated by roxygen2: do not edit by hand
+% Please edit documentation in R/az_vault.R
+\name{vault_access_policy}
+\alias{vault_access_policy}
+\title{Specify a key vault access policy}
+\usage{
+vault_access_policy(principal, tenant = NULL, key_permissions = "all",
+  secret_permissions = "all", certificate_permissions = "all",
+  storage_permissions = "all")
+}
+\arguments{
+\item{principal}{The user or service principal for this access policy. Can be a GUID, or a user, app or service principal object from the AzureGraph package.}
+
+\item{tenant}{The tenant of the principal.}
+
+\item{key_permissions}{The permissions to grant for working with keys.}
+
+\item{secret_permissions}{The permissions to grant for working with secrets.}
+
+\item{certificate_permissions}{The permissions to grant for working with certificates.}
+
+\item{storage_permissions}{The permissions to grant for working with storage accounts.}
+}
+\value{
+An object of class \code{vault_access_policy}, suitable for creating a key vault resource.
+}
+\description{
+Specify a key vault access policy
+}
+\details{
+Client access to a key vault is governed by its access policies, which are set on a per-principal basis. Each principal (user or service) can have different permissions granted, for keys, secrets, certificates, and storage accounts.
+
+Here are the possible permissions. The permission "all" means to grant all permissions.
+\itemize{
+\item Keys: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "decrypt", "encrypt", "unwrapkey", "wrapkey", "verify", "sign", "purge"
+\item Secrets: "get", "list", "set", "delete", "recover", "backup", "restore", "purge"
+\item Certificates: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "managecontacts", "manageissuers", "getissuers", "listissuers", "setissuers", "deleteissuers", "purge"
+\item Storage accounts: "get", "list", "update", "set", "delete", "recover", "backup", "restore", "regeneratekey", "getsas", "listsas", "setsas", "deletesas", "purge"
+}
+}
+\examples{
+\dontrun{
+
+# default is to grant full access
+vault_access_policy("user_id")
+
+# use AzureGraph to specify a user via their email address rather than a GUID
+usr <- AzureGraph::get_graph_login()$get_user("username@aadtenant.com")
+vault_access_policy(usr)
+
+# grant a service principal read access to keys and secrets only
+svc <- AzureGraph::get_graph_login()$
+    get_service_principal(app_id="app_id")
+vault_access_policy(svc,
+    key_permissions=c("get", "list"),
+    secret_permissions=c("get", "list"),
+    certificate_permissions=NULL,
+    storage_permissions=NULL)
+
+}
+}
+\seealso{
+\link{create_key_vault}, \link{az_key_vault}
+
+\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
+\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
+}