Create key vault, managed identity, and role assignment
This template creates a key vault and managed identity, and a role assignment for the managed identity to access the key vault.
For more information about using Bicep to deploy key vaults, see Manage secrets by using Bicep, and for information about using Bicep to deploy role assignments, see Create Azure RBAC resources by using Bicep.
Deletion behavior
When a managed identity is deleted, any role assignments for that managed identity are not automatically deleted. If you try to deploy a new role assignment with the same role assignment ID, the deployment fails because the resource already exists and the principalId can't be modified.
To ensure that each deployment has a unique role assignment ID, you can use the guid() function with a seed value that is based in part on the managed identity's principal ID. However, because Azure Resource Manager requires each resource's name to be available at the beginning of the deployment, you can't use this approach in the same Bicep file that defines the managed identity. This sample uses a Bicep module to work around this issue.
Tags: Microsoft.KeyVault/vaults, Microsoft.ManagedIdentity/userAssignedIdentities, Microsoft.Resources/deployments, Microsoft.Authorization/roleAssignments