How to add Data Factory Object Id in Key Vault Access Policies during Bicep Deployment

RogerPujolGrau-2941 45 Reputation points
2023-05-27T18:44:52.53+00:00

Hello,

I'm building a Bicep template which contains an Azure Data Factory and a Key Vault. In this deployment I need to add the Data Factory in the Access Policies of the Vault being deployed, but my current configuration doesn't work and I couldn't find any more reference. Both resources are in different modules and are being put toether in the main.bicep file. They share the same resource group.

In the main bicep file I define objectId as: dataFactory.outputs.dataFactoryObjectID

And tenantId is defined as subscription().tenantId

What's the appropiate reference for adding the ObjectId of the DataFactory in the Access Policies? Thanks!

Code:


// Module 1
resource dataFactory 'Microsoft.DataFactory/factories@2018-06-01' = {
  name: dataFactoryName
  location: location
  properties: {
    publicNetworkAccess: 'Enabled'
  }
  identity: {
    type: 'SystemAssigned'
  }
}

output dataFactoryObjectID string = dataFactory.identity.principalId

//Module 2
resource keyvault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: keyVaultName
  location: location
  properties: {
    sku: {
      name: 'standard'
      family: 'A'
    }
    accessPolicies: [
      {
        tenantId: tenantId
        objectId: objectId
        permissions: {
          certificates: [
            'all'
          ]
          keys: [
            'all'
          ]
          secrets: [
            'all'
          ]
          storage:[
            'all'
          ]
        }
      }
    ]
    tenantId: tenantId
    enabledForDeployment: true
    enabledForTemplateDeployment: true
    enableSoftDelete: true
    softDeleteRetentionInDays: 90
  }
}
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,180 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
10,073 questions
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 17,641 Reputation points Microsoft Employee
    2023-05-30T06:50:47.5+00:00

    @RogerPujolGrau-2941

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    You created a Bicep template which contains an Azure Data Factory and a Key Vault.

    In the main bicep file you define objectId as: dataFactory.outputs.dataFactoryObjectID And tenantId is defined as subscription().tenantId

    What's the appropriate reference for adding the ObjectId of the DataFactory in the Access Policies?

    Cause: It's not enough with adding the ADF ObjectId in the KeyVault access policy creation.

    Solution: You defined another access policy with network ACL as well in the vault policy:

    resource symbolicname 'Microsoft.KeyVault/vaults@2022-07-01' = {
      name: 'string'
      location: 'string'
      tags: {
        tagName1: 'tagValue1'
        tagName2: 'tagValue2'
      }
      properties: {
        accessPolicies: [
          {
            applicationId: 'string'
            objectId: 'string'
            permissions: {
              certificates: [
                'string'
              ]
              keys: [
                'string'
              ]
              secrets: [
                'string'
              ]
              storage: [
                'string'
              ]
            }
            tenantId: 'string'
          }
        ]
        createMode: 'string'
        enabledForDeployment: bool
        enabledForDiskEncryption: bool
        enabledForTemplateDeployment: bool
        enablePurgeProtection: bool
        enableRbacAuthorization: bool
        enableSoftDelete: bool
        networkAcls: {
          bypass: 'string'
          defaultAction: 'string'
          ipRules: [
            {
              value: 'string'
            }
          ]
          virtualNetworkRules: [
            {
              id: 'string'
              ignoreMissingVnetServiceEndpoint: bool
            }
          ]
        }
        provisioningState: 'string'
        publicNetworkAccess: 'string'
        sku: {
          family: 'A'
          name: 'string'
        }
        softDeleteRetentionInDays: int
        tenantId: 'string'
        vaultUri: 'string'
      }
    }
    

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. RogerPujolGrau-2941 45 Reputation points
    2023-05-28T09:18:53.81+00:00

    Solved it! It's not enough with adding the ADF ObjectId in the KeyVault access policy creation. There has to be another AccessPolicy created apart for the ADF. Then it works.