0

I am trying to do an ARM deployment in Azure Devops whereby I add a key vault access policy to an existing key vault in Azure.

I want to use the following ARM template which adds an access policy to an existing Key Vault: https://github.com/Azure/azure-quickstart-templates/tree/master/101-keyvault-add-access-policy

I have a separate template that deploys an App service and creates a system assigned managed identity.

What is the best way to link the two templates? how do i reference the System Assigned identity of the app service in the 'Add Key Vault Policy' ARM template if I dont know what the object ID of the service Principle is yet?

DreadedFrost
  • 2,602
  • 1
  • 11
  • 29
Tsuchinoko
  • 27
  • 4

1 Answers1

3

here's a sample how you would retrieve the managed identity Id in your other template:

"[reference(concat(resourceId('Microsoft.Web/sites/', %wep_app_name%), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]"

https://github.com/Azure/azure-quickstart-templates/blob/master/101-functions-managed-identity/azuredeploy.json#L295

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • Be sure to add the appropriate "depends on" clauses to your Key Vault resource(s) so that the web app (and its Service Principal) is completely resolved to create the Access Policy. Waiting on the Service Principal id isn't enough. The id needs to propagate through the Azure-Verse for Key Vault to use it for creating access policy. Otherwise you'll have an Id from the Web App and an error from Key Vault. – daviesdoesit Jun 13 '20 at 22:19