Bicep - Unable to add KeyVault Access Policy from other resource module

RajNair 216 Reputation points
2023-09-28T14:14:56.3766667+00:00

I am creating application gateway AG1 through bicep in subscription SZ1, resource group RZ1. In the same module i need to add keyvault access policy (for application gateway identity) to our common keyvault KV1 located in a cental subscription SHU1 and resource group RGU1. Now when i am using the below code it is saying unable to find KV1 in resource group RZ1 and Subscription SZ1....even though i used 'existing' keyvault it is not looking there.... Could anyone figure out what was wrong...thanks


resource applicationGateWay 'Microsoft.Network/applicationGateways@2023-04-01' = {
  name: appGatewayServiceName
  location: location
  identity: {
    type: 'UserAssigned'  

    userAssignedIdentities: {
      '${userAssignedIdentity.id}': {}
      }
  }

.....

.....

}

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: 'KV1'
  scope: resourceGroup('SHU1', 'RGU1') 
}

resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' =  {
    dependsOn:[
      keyVault
    ]
    name: '${keyVault.name}/add'  
    
    properties: {
      accessPolicies: [
        {
          tenantId: tenant().tenantId
          objectId: userAssignedIdentity.id
          permissions: {
            keys: ['get', 'list']
            secrets: ['get', 'list']
            certificates: ['get', 'list']
          }
        }
      ]
    }
}
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,288 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,069 questions
{count} votes

1 answer

Sort by: Most helpful
  1. 2023-10-02T23:55:46.0066667+00:00

    Hello @RajNair and thanks for sharing your solution. Since accepting your own answer is not supported I'm reposting your solution here so that you can accept and rate it. It will ensure that others facing a similar issue can easily find a solution.

    I am able to solve this issue using the approach mentioned in the link below...created a separate module for keyvaultpolicy https://github.com/Azure/bicep/discussions/6203

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.