|
| 1 | +--- |
| 2 | +applyTo: "articles/key-vault/general/**,articles/key-vault/keys/**,articles/key-vault/secrets/**,articles/key-vault/certificates/**,articles/key-vault/index.yml,articles/key-vault/includes/**" |
| 3 | +--- |
| 4 | + |
| 5 | +# Azure Key Vault (AKV) docset context |
| 6 | + |
| 7 | +## Scope |
| 8 | + |
| 9 | +The Azure Key Vault docset covers the **vault** resource type and its four object types: |
| 10 | + |
| 11 | +| Subdirectory | Object type | Notes | |
| 12 | +|---|---|---| |
| 13 | +| `general/` | N/A (service-level) | Authentication, networking, RBAC, monitoring, recovery, developer guides | |
| 14 | +| `keys/` | Cryptographic keys | Software and HSM-protected keys, BYOK, key rotation, policy grammar | |
| 15 | +| `secrets/` | Secrets | Passwords, connection strings, rotation tutorials, dev guides | |
| 16 | +| `certificates/` | Certificates | Lifecycle, CA integration, import/export, renewal | |
| 17 | + |
| 18 | +Root-level files (`index.yml`, `policy-reference.md`, `resource-graph-samples.md`, `security-controls-policy.md`) are shared hub/reference pages. |
| 19 | + |
| 20 | +## Relationship to Managed HSM |
| 21 | + |
| 22 | +The `managed-hsm/` subdirectory is **physically** inside `articles/key-vault/` but is **logically a separate, peer service** with a completely distinct engineering and PM team. Treat it as a separate docset: |
| 23 | + |
| 24 | +- **Do not** add cross-references from AKV articles to MHSM unless there's a strong, specific reason. |
| 25 | +- **Do not** make bulk changes to AKV that sweep into `managed-hsm/`. |
| 26 | +- When scoping operations to "Key Vault docs," **always exclude `managed-hsm/`** unless explicitly told otherwise. |
| 27 | +- Long-term goal: fully divorce the two docsets so MHSM has no dependencies on `general/`, `secrets/`, `keys/`, or `certificates/`. |
| 28 | + |
| 29 | +There are currently ~26 cross-references from MHSM into AKV (mostly into `general/` for monitoring and service-limits content). These represent the coupling to be unwound over time. |
| 30 | + |
| 31 | +## History and known debt |
| 32 | + |
| 33 | +The original Key Vault documentation was written primarily around the secrets scenario. When the docset was split into four subdirectories (`general/`, `keys/`, `secrets/`, `certificates/`), **legacy content was pushed into `secrets/`**. As a result, `secrets/` is likely to contain articles that are: |
| 34 | + |
| 35 | +- Out of date or no longer accurate |
| 36 | +- Duplicative of content that now lives in `general/` |
| 37 | +- Covering deprecated features (e.g., managed storage account keys, retired April 2026) |
| 38 | + |
| 39 | +When auditing or updating `secrets/`, assume that older articles may need retirement rather than refreshing. |
| 40 | + |
| 41 | +## Deprecated features |
| 42 | + |
| 43 | +- **Managed storage account keys**: Fully deprecated. All articles were retired in April 2026 (PR #2707) and redirect to `/azure/storage/common/authorize-data-access`. The modern approach is Microsoft Entra ID + managed identities + Azure RBAC for storage access. |
| 44 | +- **Access policies (legacy)**: Vault access policies still work but are legacy. Azure RBAC is the recommended model. Articles covering access policies are marked "(legacy)" in the TOC. |
| 45 | +- **nCipher BYOK method**: Deprecated since June 30, 2021. Article retired in April 2026 (PR #2714) and redirects to `hsm-protected-keys-byok`. The current BYOK method supports all vendors listed in `hsm-protected-keys.md`. |
| 46 | +- **AppAuthentication .NET library**: Deprecated. Referenced in `general/developers-guide.md`. Modern approach is `Azure.Identity` with `DefaultAzureCredential`. |
| 47 | +- **Control Plane API versions before 2026-02-01**: Retiring February 27, 2027. See `general/access-control-default.md`. |
| 48 | + |
| 49 | +## Authorization model |
| 50 | + |
| 51 | +AKV supports two authorization models: |
| 52 | +1. **Azure RBAC** (recommended) — control-plane and data-plane access via Azure role assignments |
| 53 | +1. **Vault access policies** (legacy) — per-vault policies granting key/secret/certificate permissions |
| 54 | + |
| 55 | +New content should always demonstrate Azure RBAC. Access policy content should be clearly marked as legacy. |
| 56 | + |
| 57 | +## FIPS compliance (source of truth) |
| 58 | + |
| 59 | +The canonical FIPS compliance table is in `keys/about-keys.md` (lines 69-74): |
| 60 | + |
| 61 | +| Key type | Compliance | |
| 62 | +|---|---| |
| 63 | +| Software-protected (HSM Platform 0) | FIPS 140-2 Level 1 | |
| 64 | +| HSM Platform 1 in vaults (Premium SKU) | FIPS 140-2 Level 2 | |
| 65 | +| HSM Platform 2 in vaults (Premium SKU) | FIPS 140-3 Level 3 | |
| 66 | +| Keys in Managed HSM | FIPS 140-3 Level 3 | |
| 67 | + |
| 68 | +All **new** keys and key versions are created on HSM Platform 2. Any other article referencing FIPS levels should match this table. |
| 69 | + |
| 70 | +## Current SDK versions (as of April 2026) |
| 71 | + |
| 72 | +When auditing quickstarts, verify versions against these current stable releases: |
| 73 | + |
| 74 | +| Language | Keys package | Secrets package | Certs package | Identity package | |
| 75 | +|---|---|---|---|---| |
| 76 | +| Java (Maven) | azure-security-keyvault-keys **4.10.6** | azure-security-keyvault-secrets **4.10.6** | azure-security-keyvault-certificates **4.10.6** | azure-identity **1.18.2** | |
| 77 | +| .NET (NuGet) | Azure.Security.KeyVault.Keys **4.9.0** | Azure.Security.KeyVault.Secrets | Azure.Security.KeyVault.Certificates | Azure.Identity | |
| 78 | +| Python (pip) | azure-keyvault-keys **4.11.0** | azure-keyvault-secrets | azure-keyvault-certificates | azure-identity | |
| 79 | +| JavaScript (npm) | @azure/keyvault-keys **4.10.0** | @azure/keyvault-secrets | @azure/keyvault-certificates | @azure/identity | |
| 80 | +| Go | azkeys **v1.4.0** | azsecrets | azcertificates | azidentity | |
| 81 | + |
| 82 | +## Current API versions |
| 83 | + |
| 84 | +| Context | Version | Notes | |
| 85 | +|---|---|---| |
| 86 | +| Bicep/ARM (`Microsoft.KeyVault/vaults`) | **2024-11-01** | Replace any 2021-*-preview or 2022-* | |
| 87 | +| REST data plane | **7.6** | Replace 7.0–7.3 in URL examples | |
| 88 | + |
| 89 | +## Docset structure and key articles |
| 90 | + |
| 91 | +### `general/` (52 articles) |
| 92 | + |
| 93 | +Core topics by theme: |
| 94 | + |
| 95 | +- **Authentication & RBAC**: `authentication.md`, `rbac-guide.md`, `rbac-access-policy.md`, `rbac-migration.md`, `assign-access-policy.md`, `access-control-default.md` |
| 96 | +- **Network security**: `network-security.md`, `access-behind-firewall.md`, `private-link-service.md`, `private-link-diagnostics.md`, `overview-vnet-service-endpoints.md` |
| 97 | +- **Monitoring & logging**: `logging.md`, `howto-logging.md`, `monitor-key-vault.md`, `monitor-key-vault-reference.md`, `alert.md`, `event-grid-overview.md` |
| 98 | +- **Recovery**: `soft-delete-overview.md`, `key-vault-recovery.md`, `backup.md` |
| 99 | +- **Governance**: `azure-policy.md`, `secure-key-vault.md` |
| 100 | +- **Developer**: `developers-guide.md`, `client-libraries.md`, `apps-api-keys-secrets.md` |
| 101 | +- **Operations**: `move-resourcegroup.md`, `move-subscription.md`, `service-limits.md`, `overview-throttling.md` |
| 102 | +- **Reference**: `whats-new.md`, `common-error-codes.md`, `rest-error-codes.md`, `overview-security-worlds.md` |
| 103 | + |
| 104 | +Notable: Many files in general/ have ms.date from April 2025 (~12 months old), especially monitoring, alert, Event Grid, and quickstart articles. |
| 105 | + |
| 106 | +### `keys/` (28 articles, audited April 2026 in PR #2714) |
| 107 | + |
| 108 | +- **Conceptual core**: `about-keys.md` (overview) → `about-keys-details.md` (types/algorithms) → `secure-keys.md` (best practices) |
| 109 | +- **BYOK cluster**: `byok-specification.md` → `hsm-protected-keys.md` (overview + vendor table) → `hsm-protected-keys-byok.md` (implementation) |
| 110 | +- **Key rotation**: `how-to-configure-key-rotation.md` |
| 111 | +- **Reference**: `policy-grammar.md` (secure key release policy grammar) |
| 112 | +- **JS developer guides**: 9 articles (get-started + 8 operation-specific). The 04/14/2025 cluster hasn't been refreshed. |
| 113 | +- **Quickstarts**: 11 files (portal, CLI, PowerShell, Bicep, ARM, Terraform, Go, Java, .NET, Node, Python) |
| 114 | + |
| 115 | +### `secrets/` (22 articles, partially audited in PR #2712) |
| 116 | + |
| 117 | +- **Conceptual core**: `about-secrets.md` (overview), `secure-secrets.md` (best practices, ai-assisted) |
| 118 | +- **Rotation tutorials**: `tutorial-rotation.md` (single-credential), `tutorial-rotation-dual.md` (dual-credential) |
| 119 | +- **JS developer guides**: 7 articles (get-started + 6 operation-specific). The 04/14/2025 cluster hasn't been refreshed. |
| 120 | +- **Quickstarts**: 11 files (same language coverage as keys/) |
| 121 | +- **Special**: `multiline-secrets.md` (handling JSON, certs, RSA keys as multi-line secrets) |
| 122 | + |
| 123 | +Known: This docset inherited legacy content from the original monolithic KV docs. Managed storage articles were retired in PR #2707. |
| 124 | + |
| 125 | +### `certificates/` (21 articles, not yet audited) |
| 126 | + |
| 127 | +- **Conceptual core**: `about-certificates.md` (overview), `certificate-access-control.md` (permissions), `create-certificate.md` (creation methods), `certificate-scenarios.md` (getting started) |
| 128 | +- **Lifecycle**: `overview-renew-certificate.md`, `tutorial-rotate-certificates.md` |
| 129 | +- **CA integration**: `how-to-integrate-certificate-authority.md` (DigiCert/GlobalSign) |
| 130 | +- **Import/Export**: `tutorial-import-certificate.md`, `how-to-export-certificate.md`, `create-certificate-signing-request.md` |
| 131 | +- **Security**: `secure-certificates.md` (best practices, ai-assisted) |
| 132 | +- **Quickstarts**: 8 files (portal, CLI, PowerShell, .NET, Node, Python, Go, Java) |
| 133 | +- **FAQ**: `faq.yml` — **ms.date 05/25/2022, nearly 4 years old**. High priority for refresh or retirement. |
| 134 | + |
| 135 | +## Audit history |
| 136 | + |
| 137 | +| PR | Scope | Date | Summary | |
| 138 | +|---|---|---|---| |
| 139 | +| #2707 | secrets/, general/ | April 2026 | Retired 4 managed-storage-account articles, added Cloud HSM Event Hub tutorial | |
| 140 | +| #2712 | secrets/, general/ | April 2026 | Fixed 13 broken access-policy links, updated Java SDK versions, fixed deprecated CLI property, standardized placeholders, renamed images | |
| 141 | +| #2714 | keys/ | April 2026 | Retired nCipher article, fixed FIPS levels, updated Java SDK/API versions, standardized placeholders, added Utimaco link, labeled access policy section legacy | |
| 142 | + |
| 143 | +## Common issues to check during audits |
| 144 | + |
| 145 | +1. **Stale SDK versions** in quickstart files (especially Java — historically lags behind) |
| 146 | +1. **Old Bicep/ARM API versions** (2021-*-preview) in template quickstarts |
| 147 | +1. **Deprecated CLI properties** (`objectId` → `id`) |
| 148 | +1. **Links to consolidated access-policy files** (assign-access-policy-cli/powershell/portal.md → assign-access-policy.md) |
| 149 | +1. **FIPS version errors** (140-2 vs 140-3 confusion, especially for Managed HSM) |
| 150 | +1. **YOUR-VALUE placeholder style** (should be angle-bracket `<your-value>`) |
| 151 | +1. **Past-tense deprecation warnings** ("will not be supported after [past date]") |
| 152 | +1. **Missing `updated-for-az` include** on articles using PowerShell |
| 153 | +1. **Image case mismatches** (never fix with case-only rename — rename the entire file) |
| 154 | +1. **JavaScript developer guide staleness** — the 04/14/2025 cluster across both keys/ and secrets/ hasn't been refreshed |
| 155 | + |
| 156 | +## Redirect file |
| 157 | + |
| 158 | +Key Vault redirects go in `.openpublishing.redirection.key-vault.json` (not the generic `.openpublishing.redirection.json`). |
| 159 | + |
| 160 | +## Article counts (as of April 2026) |
| 161 | + |
| 162 | +- `general/`: 52 articles |
| 163 | +- `keys/`: 28 articles (was 29; nCipher retired) |
| 164 | +- `secrets/`: 22 articles (was 26; 4 managed-storage retired) |
| 165 | +- `certificates/`: 21 articles |
| 166 | +- Root: 5 files |
0 commit comments