Assign App Service - Identity to KeyVault in Azure using Pulumi

Question

I create an App Service using "classic" Pulumi.Azure:

        var appservice=new AppService(appserviceName, new AppServiceArgs
        {
            Name = appserviceName,
            Location = _resourceGroup.Location,
            AppServicePlanId = _servicePlan.Id,
            ResourceGroupName = _resourceGroup.Name,
            SiteConfig = new Pulumi.Azure.AppService.Inputs.AppServiceSiteConfigArgs
            {
                DotnetFrameworkVersion = "v5.0",
                ScmType = "None",
            },
            Tags = { { "environemnt", "dev" } },
            Logs = new AppServiceLogsArgs
            {
                HttpLogs = new AppServiceLogsHttpLogsArgs
                {
                    FileSystem = new AppServiceLogsHttpLogsFileSystemArgs { RetentionInDays = 14, RetentionInMb = 35 }
                }
            }
            ,
            AppSettings = appSettings
        });
        

I also create a keyvault:

  var currentConfig=Output.Create(GetClientConfig.InvokeAsync());
            var keyVault = new KeyVault(vaultname, new KeyVaultArgs
            {
                Name = vaultname,
                Location = _resourceGroup.Location,
                ResourceGroupName = _resourceGroup.Name,
                TenantId = currentConfig.Apply(q => q.TenantId),
                SkuName="standard"
                , AccessPolicies=
                {
                     new Pulumi.Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
                     {
                         TenantId=currentConfig.Apply(q=>q.TenantId),
                         ObjectId=currentConfig.Apply(q=>q.ObjectId),
                          KeyPermissions={"get", "create", "list"},
                          SecretPermissions={"set","get","delete","purge","recover", "list"}
                     }
                }
            });

Both work as expected. KeyVault and App Service are being created and accessable by me. Now I need that the App Service also can access the KeyVault.

But when adding a new Access Policy I am stuck at the ObjectId. The App Service does not seem to have a valid object id I can assign to the vault. When checking the service on Azure Portal I also see the Identy is missing:

So what has to be done as pulumi code that would achieve the same thing as clicking onto "On" in Azure and retrieve the ObjectId afterwards?

Answer 1

You need to set the following property on AppService to enable the managed identity:

Identity = new AppServiceIdentityArgs {Type = "SystemAssigned"},

This example illustrates the end-to-end implementation: https://github.com/pulumi/examples/blob/327afe30ce820901f210ed2a01da408071598ed6/azure-cs-msi-keyvault-rbac/AppStack.cs#L128