Search code examples

Create an API Connection to Azure KeyVault using Service Principal Authentication through ARM template

I am trying to deploy a Microsoft.Web/connections resource using an ARM template. The API Connection connects to a Key Vault in a different tenant, so I need to use a service principal for authentication.

I have managed to get the resource to deploy but the connection fails with error: Unauthorized when trying to access the Key Vault in my logic app action. I have set up the connection manually to ensure the service principal's set up correctly so I know it must be an error with my parameterValues section in my ARM template.

I have used this tool to try and work out what's needed in the parameterValues section, but I am not convinced I have it correct.

Here is my redacted ARM template for the connection:

            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "NAME_OF_CONNECTION,
            "location": "[resourceGroup().location]",
            "properties": {
                "displayName": "NAME_OF_CONNECTION",
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]"
                "parameterValues": {
                    "token:clientId" : "GUID_HERE",
                    "token:clientSecret" : "SECRET_HERE",
                    "token:TenantId" : "GUID_HERE",
                    "token:resourceUri": "",
                    "token:grantType": "client_credentials"

Is it possible to do this? I can't see why it wouldn't be. If it is, why is this not documented anywhere?


  • Try using "token:resourceUri": "" (without the NAME_OF_VAULT and without a slash at the end).