1

I am creating a key vault through an Azure Blueprint: it gets created with no problem. The thing is that, in order to access the Key Vault (Listing it, putting or getting values) Access Policies must be configured.

With ARM templates, I could insert a section like :

"accessPolicies": [
                    {
                        "tenantId": "22222222-3333-4444-aaaa-eeeeeeeeeeee",
                        "objectId": "77777777-6666-4444-8888-111111111111",
                        "permissions": {
                            "keys": [
                                "Get",
                                ...
                                "Restore"
                            ],
                            "secrets": [
                                "Get",
                                ...
                                "Restore"
                            ],
                            "certificates": []
                        }
                    },

but I'd need to have a TenantId and an ObjectId to hardcode, or to get as parameter, which is not the right way to do it. Unfortunately I could not find a way to assign these access policies to the Key Vault, without which the key vault itself just can't be used, unless making those settings manual (and deleting them each time the blueprint is upgraded).

Is there a guideline or a best practice to do this in the proper way ?

Ing. Luca Stucchi
  • 3,070
  • 6
  • 36
  • 58

2 Answers2

1

The tenantId you can get dynamically using "[subscription().tenantId]". See official documentation.

Regarding the objectId, using a parameter is usually the right way as stated in this answer. ObjectIDs are not on the same layer as ARM components and therefore there aren't real way to get those dynamically using ARM.

Jul_DW
  • 1,036
  • 6
  • 20
  • 1
    Your answer guided me in better understanding how blueprints should be used ! What made me trigger is "there aren't real way to get those dynamically using ARM". And the most important part I think is "Using ARM". I think I'll post the answer and the result I came to, but that would have not been possible without the hint in your answer – Ing. Luca Stucchi Nov 11 '21 at 13:39
0

Starting from the answer from @jul_DW, I realized that ARM could not set in an easy way users, so I should have used to something in the Blueprint. And infact, one of the key features for Blueprint is Role Assignment.

To use this approach we need to enable the RBAC for the Key Vault, but that is done easily in the ARM template itself:

   ...
   "type": "Microsoft.KeyVault/vaults",
   "properties": {
     ...
     "enableRbacAuthorization": true,
     ...
   }

Once the RBAC is enabled, the ARM template should stay away from assigning permissions, and the Role Assignment feature from Blueprints should be used.

In my case, I assigned a Key Vault Administrator role to the needed user group, that can be indicated as a parameter. In this way the ARM template is kept as simple as possible, and at the same time we have a great flexibility in assigning roles to different users in the various environments.

Ing. Luca Stucchi
  • 3,070
  • 6
  • 36
  • 58