7

When i deploy my ARM template for the azure keyvault I got this error message.

 "error": {
    "code": "BadRequest",
    "message": "An invalid value was provided for 'accessPolicies'."
  }

My Template : 

  {
            "type": "Microsoft.KeyVault/vaults",
            "name": "[parameters('keyVaultName')]",
            "apiVersion": "2016-10-01",
            "location": "[parameters('location')]",
            "properties": {
                "enabledForDeployment": "[parameters('enableVaultForDeployment')]",
                "enabledForDiskEncryption": "[parameters('enableVaultForDiskEncryption')]",
                "enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
                "tenantId": "[parameters('tenantId')]",
                "accessPolicies": [],
                "sku": {
                    "name": "[parameters('skuName')]",
                    "family": "A"
                }
            }
        },
        {
            "type": "Microsoft.KeyVault/vaults/accessPolicies",
            "name": "[concat(parameters('keyVaultName'), '/add')]",
            "apiVersion": "2018-02-14",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
            ],
            "properties": {
                "copy": [
                    {
                        "name": "accessPolicies",
                        "count": "[length(parameters('ObjectPolicies'))]",
                        "input": {
                            "tenantId": "[parameters('ObjectPolicies')[copyIndex('accessPolicies')].tenantId]",
                            "objectId": "[parameters('ObjectPolicies')[copyIndex('accessPolicies')].objectId]",
                            "permissions": {
                                "keys": "[parameters('ObjectPolicies')[copyIndex('accessPolicies')].permissions.keys]",
                                "secrets": "[parameters('ObjectPolicies')[copyIndex('accessPolicies')].permissions.secrets]"
                            }
                        }
                    }
                ]
            }
        }

My Parameter file:

  "ObjectPolicies": {
            "value": [
                {
                    "tenantId": "xxxxx",
                    "objectId": "xxxxx",
                    "permissions": {
                        "keys": [
                            "all"
                        ],
                        "secrets": [
                            "all"
                        ]
                    }
                },

I want to Create a Keyvault with multiple access policies inside an object to get a good overview inside my parameters. instead of objectID1 , objectId2, objectId 3. Tried to copy the answer from this Good answer over here. It seems that I have the same setup as 4c74356b41 but still have an error message.

This SO question has also the same error message but he doesn't seem to add an answer to his question.

achahbar
  • 901
  • 3
  • 21
  • 47
  • 1
    hey, what if you remove the second resource ("Microsoft.KeyVault/vaults/accessPolicies") temporary? does the error go away? your loop looks fine to me – 4c74356b41 Mar 19 '19 at 16:46
  • The error goes indeed away If I delete the second resource. the second resource came after I placed the loop inside the keyvault resource under accesspolicies I figured out maybe to place the loop inside a new resource bracelet. Maybe this isn't the way to do things at all. But I wanted an efficient way of adding policies to my keyvault – achahbar Mar 20 '19 at 07:47

1 Answers1

3

I think "all" is not supported as a value for the permissions, at least according to the api reference you have to list all of those one by one.

"accessPolicies": [
    {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "objectId": "00000000-0000-0000-0000-000000000000",
        "permissions": {
            "keys": [
                "encrypt",
                "decrypt",
                "wrapKey",
                "unwrapKey",
                "sign",
                "verify",
                "get",
                "list",
                "create",
                "update",
                "import",
                "delete",
                "backup",
                "restore",
                "recover",
                "purge"
            ],
            "secrets": [
                "get",
                "list",
                "set",
                "delete",
                "backup",
                "restore",
                "recover",
                "purge"
            ],
            "certificates": [
                "get",
                "list",
                "delete",
                "create",
                "import",
                "update",
                "managecontacts",
                "getissuers",
                "listissuers",
                "setissuers",
                "deleteissuers",
                "manageissuers",
                "recover",
                "purge"
            ]
        }
    }
]

Reading:
https://learn.microsoft.com/en-us/rest/api/keyvault/vaults/createorupdate#create_a_new_vault_or_update_an_existing_vault

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • 2
    YES, Totally did the trick. I had the "all" from a previous ARM template where if I remember it good worked like a charm. – achahbar Mar 20 '19 at 08:17
  • 1
    "all" works fine for me. I *did* get the error that OP provided when I tried to grant an access policy against an object from a different tenant, though - that is apparently not allowed. – Tom W Nov 23 '19 at 18:50