Menu
I think Managed Service Identity is a great concept and I love keyvault. However:
When I use the script using an incremental resource group deployment:
Sample is modified for brevity
{
"type": "Microsoft.KeyVault/vaults",
"name": "[parameters('keyvaultName')]",
"apiVersion": "2015-06-01",
"properties": {
"accessPolicies": [
{
"objectId": "[reference(parameters('functionAppName'), '2016-08-01', 'Full').identity.principalId]",
"permissions": {
"keys": [],
"secrets": [
"Get"
]
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]"
]
},
{
"apiVersion": "2016-08-01",
"type": "Microsoft.Web/sites",
"name": "[parameters('functionAppName')]",
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
}
It deploys successfully and adds the MSI to keyvault, but --
It blows away the already assigned access policies. Is it possible for arm to preserve accessPolicies and only add/update policies that match?
Without this it's impossible to fully script a deployment with a MSI and also assign the principal to keyvault..
Am I missing something?
287
Firstly, open the Azure Key Vault service and from the Settings menu select Access policies. Then select + Add new access policy. Then choose Select principal and search for the name of the Function App (functionapp-demo-mw in our case).
Add a Key Vault reference to App Configuration Select All resources, and then select the App Configuration store instance that you created in the quickstart. Select Configuration Explorer. Select + Create > Key vault reference, and then specify the following values: Key: Select TestApp:Settings:KeyVaultMessage.
As the author of the blog post, I'll post the details per the mods:
When you deploy a resource of type Microsoft.KeyVault/vaults/accessPolicies with the name “add”, it will merge in your changes. This special child resource type was created to allow Managed Service Identity scenarios where you don’t know the identity of a VM until the VM is deployed and you want to give that identity access to the vault during deployment.
An incremental deployment can be used along with this json to achieve the objective:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('vaultName'), '/add')]",
"apiVersion": "2016-10-01",
"properties": {
"accessPolicies": [
{
"tenantId": "dfe47ca8-acfc-4539-9519-7d195a9e79e4",
"objectId": "5abe9358-10ae-4195-ba23-d34111430329",
"permissions": {
"keys": ["all"],
"secrets": ["all"],
"certificates": ["all"],
"storage": ["all"]
}
}
]
}
}
],
"outputs": {
}
}If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
