Scenario
Hi, I would like to create Logic App that gets secret from Azure KeyVault and sends authenticated request to the API with secret from vault.
Problem
I receive: The workflow connection parameter 'keyvault' is not valid. The API connection 'keyvault' is not configured to support managed identity. during my ARM deploy. How to create Microsoft.Web/Connections with Managed identity from ARM template. There is no information about it in docs: apiConnection logicapp-MSI
repro
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('KeyVault_Connection_Name')]",
"location": "[variables('location')]",
"kind": "V1",
"properties": {
"api": {
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
},
"parameterValues": {
"vaultName": "[variables('keyVaultName')]"
},
"displayName": "[variables('KeyVault_Display_Connection_Name')]"
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[variables('logicAppName')]",
"location": "[variables('location')]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/Connections', variables('KeyVault_Connection_Name'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {schedule trigger},
"actions": {get secret, send HTTP},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"keyvault": {
"connectionId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Web/connections/', variables('KeyVault_Connection_Name'))]",
"connectionName": "[variables('KeyVault_Display_Connection_Name')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'),'/managedApis/keyvault')]"
}
}
}
}
}
}
Tried
I added parameterValueType with value Alternative to Microsoft.Web/connections. It was also necessary to remove parameterValue, because it cause an error.
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('KeyVault_Connection_Name')]",
"location": "[variables('location')]",
"kind": "V1",
"properties": {
"api": {
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
},
"parameterValueType": "Alternative",
"displayName": "[variables('KeyVault_Display_Connection_Name')]"
}
},
now I receive error during runtime when GET secret:
{
"status": 400,
"message": "The connection does not contain a vault name. Please edit the connection and enter a valid key vault name.",
"error": {
"message": "The connection does not contain a vault name. Please edit the connection and enter a valid key vault name."
},
"source": "keyvault-we.azconn-we.p.azurewebsites.net"
}
I have also tried to add vaultName to customParameterValues but it did not help.
Along with "parameterValueType": "Alternative", you also need to specify your keyvault name you want to access in alternativeParameterValues like below.
The sample works for me, joykeyvault123 is my keyvualt name.
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('KeyVault_Connection_Name')]",
"location": "[variables('location')]",
"kind": "V1",
"properties": {
"api": {
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
},
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "joykeyvault123"
},
"displayName": "[variables('KeyVault_Display_Connection_Name')]"
}
},