Assign RBAC "Key Vault Administrator" role to Azure App via C# (.NET SDK)

Question

I use below C# code create KeyVault with RBAC permission model.

using KeyVaultModels = Microsoft.Azure.Management.KeyVault.Models;
KeyVaultModels.VaultProperties vaultProperties = new KeyVaultModels.VaultProperties()
{
  EnableRbacAuthorization = true,
  TenantId = Guid.Parse(tenantId),
  AccessPolicies = new[] {
    new KeyVaultModels.AccessPolicyEntry
    {
      ObjectId = MyAppIDInAzure,
      TenantId = tenantId,
      Permissions = new KeyVaultModels.Permissions
      {
        Secrets = new[] { KeyVaultModels.SecretPermissions.All }
      },
    }
  }
};
KeyVaultModels.VaultCreateOrUpdateParameters vaultCreateOrUpdateParams = new KeyVaultModels.VaultCreateOrUpdateParameters()
{
  Properties = vaultProperties,
  Location = myregion,
};
KeyVaultModels.Vault vault = keyVaultManagementClient.Vaults.CreateOrUpdateAsync(myresourceGroup, myvaultName, vaultCreateOrUpdateParams).Result;

Everything is working fine but along with this code; I want my Azure App to have "Azure Key Vault Administrator" role.

I can't find any option here to assign this role to my App so that I can upload secrets and certificate using my Azure App.

Answer 1

Hello ASR,

Thank you for contacting Microsoft Q&A Community.

From my understanding, you would like to know how to assign a role to your App service on Azure Key vault.

To be able to do this, you need to create a managed identity on the Web App and assign a role to the App Service on your Key vault.

Follow this link to see the steps on how to create a managed identity on App Service

https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp

Once that is done, follow the steps in the link below to assign a role to the App on the Key vault.

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

Let me know if further assistance is required.

Babafemi

Answer 2

Below code works for me.

using Microsoft.Azure.Management.Fluent;
using Microsoft.Azure.Management.ResourceManager.Fluent;
using Microsoft.Azure.Management.ResourceManager.Fluent.Authentication;
using Microsoft.Azure.Management.ResourceManager.Fluent.Core;

string role_definition_id =  "00482a5a-887f-4fb3-b363-3b7fe8e74483";
 IAzure azure = null;
 AzureCredentials credentials = SdkContext.AzureCredentialsFactory.FromServicePrincipal(clientId, clientSecret, tenantId, AzureEnvironment.AzureGlobalCloud);
 azure = Microsoft.Azure.Management.Fluent.Azure.Configure()
            .WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
            .Authenticate(credentials)
            .WithDefaultSubscription();
 var keyVault = azure.Vaults.ListByResourceGroup(resourceGroupName).FirstOrDefault(x => x.Name == key_Vault_Name);
 var roleDefinitionId = $"/subscriptions/{azure.SubscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}";
 var roleAssignment = azure.AccessManagement.RoleAssignments.ListByScope(keyVault?.Id)
                                                            .FirstOrDefault(x => x.Inner.PrincipalId == objectId
                                                                              && x.Inner.RoleDefinitionId == roleDefinitionId);
 if (roleAssignment == null)
 {
     azure.AccessManagement.RoleAssignments
    .Define(Guid.NewGuid().ToString()) // Provide a unique name for the role assignment
    .ForObjectId(objectId)
    .WithRoleDefinition(roleDefinitionId)
    .WithScope(keyVault?.Id)
    .Create();
 }