0

I have an Azure App Service Web App using Key Vault References for several application settings. All resources are deployed and configured through an Bicep/ARM template. The secrets in Key Vault and Access Policies are set through the Bicep/ARM template as well. The Web App works great and has access to Key Vault through those references until I re-deploy the Bicep / ARM template to modify some unrelated values. After running "az deployment group create" the references break (showing red cross in application settings). I found two workarounds to make them connect again:

  • Restart Web App
  • Create another app setting / modify a setting in the portal and save

I would like to understand the root cause / possible mistake and why the work-arrounds help. I checked, and the Secrets in Key Vault are not changed / updated when re-deploying the template. My assumption is that this is caused by the Key Vault API removing and re-creating the Access Policies each time the template gets deployed. A what-if deployment of the template tells me that the removal and re-creation of the Access Policies is happening.

Malte Lantin
  • 346
  • 1
  • 8
  • 1
    ARM does not allow a key vault to be redeployed without clearing its existing access policies. The `accessPolicies` property is required, omitting it will cause an error. Setting it to `[]` will clear all existing policies. You can refer to [SO thread](https://stackoverflow.com/a/67850177/15969115) and [Microsoft feedback](https://feedback.azure.com/forums/906355-azure-key-vault/suggestions/34414747-arm-template-for-keyvault-to-have-accesspolicies-n). – Ecstasy Jul 23 '21 at 07:06
  • 2
    I asked the PG about this: it is by-design of ARM templates. I don't know the technical reasons behind it. I posted about this here a few years ago. https://azidentity.azurewebsites.net/post/2018/05/29/azure-key-vault-access-policy-update-via-arm-template – Matt Small Jul 29 '21 at 14:00

1 Answers1

1

As mentioned by @Deepdave in the comment section. ARM does not allow a key vault to be redeployed with out clearing existing access polices.

Please submit your feedback here https://feedback.azure.com/forums/34192--general-feedback

JayakrishnaGunnam-MT
  • 1,548
  • 1
  • 5
  • 9