Logic App with Managed Identity that gets triggered when a new Azure KeyVault Secret is to Expire
I have managed to create a Logic App that can send an email once an Azure KeyVault secret is about to expire. This works with my own credentials, but I cannot make it work with Managed Identity api connection.
For my Logic App I have enabled System Identity. Chosen "When an Event Grid resource event occurs" as the trigger and added RBAC role "Key Vault Administrator" to my Azure KeyVault
This now allows me to choose my KeyVault in the drop down menus on the trigger, which means my Managed Identity does have a connection to the KeyVault and I can pick up values in the drop down lists:
When I try to save this I get the following error:
Failed to save logic app logic-secrets-expiry-poc-mi. The workflow connection parameter 'azureeventgrid' is not valid. The API connection 'azureeventgrid' is configured to support managed identity but the connection parameter is either missing 'authentication' property in connection properties or authentication type is not 'ManagedServiceIdentity'.
What am I missing here?
Update: I found a workaround. I the Code view in the UI, I added this to the connection part:
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
so that it looks now like this:
This allows me to Save the Logic App in the Portal without getting the error.
Update: However I cannot get it to trigger even when I add another Event to listen to like "Microsoft.KeyVault.SecretNewVersionCreated" and try to create new Secrets in KeyVault. It is not being triggered.
Here is how to use Managed Identity from A-Z:
Start by creating a Key Vault and a Logic App (Consumption type used in this demo)
Enable Managed Identity on your Logic App:
Use RBAC permission model:
Add 2 RBAC roles to your KeyVault:
- Key Vault Crypto Service Encryption User
- Key Vault Secrets Office
Verify that the RBAC roles have been added:
Add a trigger for your Logic App using Managed Identity:
and choose these events:
Verify that the Trigger History has no errors:
Check that that the Event Grid Subscription has been created:
Create a new Secret:
Check that your Logic App has been triggered now:
And in the final step you can see details in the run:
Done
- Azure Service Plan - Convert Consumption App to Premium App
- No PK or FK when exporting SQL Server database
- Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect
- How to create a dataset for Azure custom speech using spx (speechCLI)
- Azure App Service Autoscale Fails to Scale In
- Azure Scale Out on Memory keeps flapping (not scaling in)
- Setting a server minimum for Azure Web App when using automatic scaling, from Bicep
- A keyvault created with access policy using BICEP creates compound identity
- Azure Loadbalancer with public IP forward traffic to Container Apps
- How to grant a Managed Identity permissions to an Azure SQL Database using IaC?
- What means skipNegotiation in SignalR HubConnection?
- Azure ClientCertificateCredential - Using SNI
- Azure AI Search MultiIndex / Conditional Semantic search
- MSAL Node service & The Partner Center API
- Load Registered Component in Azure ML for Pipeline using Python sdk v2
- Azure Blob:- How to automate Azure Archive Storage to Cool/Hot tier conversion, send download link once it's avaible , and re-archive after 72 hours?
- Azure App Service Custom Backup to Firewall Enabled Storage Account not working as expected
- How to take max value and replace it in drived column in data factory
- Synapse/ ADF - How to Truncate table if dynamic config column is True in pre-copy script
- Azure Cost Management - track costs associated with Databricks job
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday