Search code examples
azureazure-resource-managerazure-keyvaultazure-rm-template

Set key vault access policies for multiple object ids using parameter (array type) via ARM Template

Is it possible to set key vault access policies for multiple object ids using a parameter of array type via ARM Template?

    "policies": {
            "value": [
              {
                "objectId": "<object-id-1>",
                "permissions": ["get", "set", "list"]
              },
              {
                "objectId": "<object-id-2>",
                "permissions": ["get", "set", "list"]
              }
            ]
          }

I need to set key vault access policies to two object ids as shown above. This is what I have tried:

enter image description here

I see the following error:

[error]InvalidTemplate: Deployment template validation failed: 'The resource 'Microsoft.KeyVault/vaults/keyvaultname/accessPolicies/add' is defined multiple times in a template.

Solution

  • Looks like you are almost there. Here is a modification of what you posted that I have working.

    {
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVaultName": {
      "type": "string"
    },
    "policies": {
      "type": "array",
      "metadata": {
        "description": "Array of object ids and permissions."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "name": "[concat(parameters('keyVaultName'), '/add')]",
      "apiVersion": "2019-09-01",
      "properties": {
        "copy": [
          {
            "name": "accessPolicies",
            "count": "[length(parameters('policies'))]",
            "input": {
              "tenantId": "[parameters('policies')[copyIndex('accessPolicies')].tenantId]",
              "objectId": "[parameters('policies')[copyIndex('accessPolicies')].objectId]",
              "permissions": {
                "keys": "[parameters('policies')[copyIndex('accessPolicies')].keys]",
                "secrets": "[parameters('policies')[copyIndex('accessPolicies')].secrets]",
                "certificates": "[parameters('policies')[copyIndex('accessPolicies')].certificates]"
              }
            }
          }
        ]
      }
    }
  ]
}

    Here is the PowerShell variable that I splatted on the deployment call.

    $parameters = @{
  'keyVaultName' = 'kv62443460'
  'policies' = @(
    @{
        'tenantId' = '<GUID>'
        'objectId' = '<GUID>'
        'keys' = @()
        'secrets' = @('get')
        'certificates' = @()
    },
    @{
        'tenantId' = '<GUID>'
        'objectId' = '<GUID>'
        'keys' = @()
        'secrets' = @()
        'certificates' = @('list')
    }
  )
}