Search code examples
azureazure-keyvaultobjectidazure-managed-identityinfrastructure-as-code

How to pass Managed Identity Object ID to KeyVault template in Azure Blueprints

So, I am trying to spin up a Managed Identity and a KeyVault using Blueprints. I have an individually working template for each. My endgoal is to spin up both resources along with a few more together in the same blueprint. The issue I'm having is that I need to pass my Managed Identity's object ID to the KeyVault template during deployment. I have the blueprint setup to deploy the managed identity resource group, then the managed identity, followed by the keyvault group and keyvault.

The deployment is working till the KV resource group and then failing during deployment of keyvault. Does anyone have any insight on how to do this?

Below are 2 pics that show the layout of the blueprint and also the section of the keyvault template where the object Id is needed.

Azure Blueprint Layout:
Azure Blueprint Layout

KeyVault Template where access policy to managed Identity is located:
KeyVault Template where access policy to managed Identity is located

Error Pic:
Error Pic

Pic of the error on the next page after I click view deployment details: Pic of the error on the next page after i click view deployment details

Solution

  • From your description and screenshot, you want to add the UserAssigned Managed Identity to your keyvault along with the creation of it, and the keyvault and Managed Identity are in different resource groups.

    If so, the accessPolicies should be below, it works fine on my side.

    "accessPolicies": [
                    {
                        "tenantId": "[subscription().tenantId]",
                        "objectId": "[reference(ResourceId(parameters('managedIdentityRG'), 'Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')),'2018-11-30','Full').properties.principalId]",
                        "permissions": {
                            "keys": [],
                            "secrets": [
                                "Get"
                            ],
                            "certificates": []
                        }
                    }
                ]

    My complete template:

    {
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "vaults_joykeyvault12_name": {
            "type": "String"
        },
        "managedIdentityName": {
            "type": "String"
        },
        "managedIdentityRG":{
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.KeyVault/vaults",
            "apiVersion": "2016-10-01",
            "name": "[parameters('vaults_joykeyvault12_name')]",
            "location": "eastus",
            "tags": {},
            "properties": {
                "sku": {
                    "family": "A",
                    "name": "Standard"
                },
                "tenantId": "[subscription().tenantId]",
                "accessPolicies": [
                    {
                        "tenantId": "[subscription().tenantId]",
                        "objectId": "[reference(ResourceId(parameters('managedIdentityRG'), 'Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')),'2018-11-30','Full').properties.principalId]",
                        "permissions": {
                            "keys": [],
                            "secrets": [
                                "Get"
                            ],
                            "certificates": []
                        }
                    }
                ],
                "enabledForDeployment": false,
                "enabledForDiskEncryption": false,
                "enabledForTemplateDeployment": false,
                "enableSoftDelete": true
            }
        }
    ]
}