Create an API Connection to Azure KeyVault using Service Principal Authentication through ARM template
I am trying to deploy a Microsoft.Web/connections resource using an ARM template. The API Connection connects to a Key Vault in a different tenant, so I need to use a service principal for authentication.
I have managed to get the resource to deploy but the connection fails with error: Unauthorized when trying to access the Key Vault in my logic app action. I have set up the connection manually to ensure the service principal's set up correctly so I know it must be an error with my parameterValues section in my ARM template.
I have used this tool to try and work out what's needed in the parameterValues section, but I am not convinced I have it correct.
Here is my redacted ARM template for the connection:
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "NAME_OF_CONNECTION,
"location": "[resourceGroup().location]",
"properties": {
"displayName": "NAME_OF_CONNECTION",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]"
},
"parameterValues": {
"vaultName":"NAME_OF_VAULT",
"token:clientId" : "GUID_HERE",
"token:clientSecret" : "SECRET_HERE",
"token:TenantId" : "GUID_HERE",
"token:resourceUri": "https://NAME_OF_VAULT.vault.azure.net/",
"token:grantType": "client_credentials"
}
}
}
Is it possible to do this? I can't see why it wouldn't be. If it is, why is this not documented anywhere?
try "token:resourceUri": "https://vault.azure.net". reference here explicitly asked to using this in header. https://learn.microsoft.com/en-us/azure/key-vault/general/authentication-requests-and-responses#authentication
If above not works try to change to "token:resourceUri": "https://management.azure.com/"
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday
- Diagnostic setting not included in Azure Portal ARM template export
- How do I read the original pdf file in set indexer datasource in a custom WebApiSkill after enabling "Allow Skillset to read file data"
- How do I store vectors generated by AzureOpenAIEmbeddingSkill in indexer given my current setup
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- Azure Function App - frequent hang and deadlocks
- Sign Tool for Azure Trusted Service Account Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
- How to convert the premium file share to premium block blob storage account or standard general purpose v2 storage account?
- How to generate an azure blob url with SAS signature in nodejs sdk v12?
- How to Assign Role to New User with Graph API
- Directory disappears from azure cloud shell (home)
- Application Insights Logging Exceptions as Trace
- Issue with Azure key vault and Azure storage account deployment
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- Native Node.js Metrics in Application Insights
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Using Google.Cloud.BigQuery.V2 API in Azure Functions
- Azure Functions no job found (python)
- Azure Machine Learning - Online Endpoint Schedule/Cost management
- Is it possible to read File from same folder where Azure function exists
- Make WAF policy to only allow Azure Load Testing or Azure Services