Share via

Key Vault access policy inconsistently deployed

Dimitar Grozev 80 Reputation points
2024-06-27T14:51:37.3466667+00:00

Hey all,

I am deploying a key vault and creating an access policy in it to allow a Function App to read secrets from it. From the deployments tab I can see that that access policy module has ran successfully but it's missing in the key vault's access policy tab. Here is the bicep for it:

resource keyVault 'Microsoft.KeyVault/vaults@2022-11-01' = {

  name: keyVaultName

  location: location

  properties: {

    sku: {

      family: 'A'

      name: 'standard'

    }

    accessPolicies:[]

    tenantId: tenantId

  }

}

module KeyVaultAccessPolicy '../keyvault/key-vault-access-policies.bicep' = {

  name: 'KeyVaultAccessPolicy'

  params: {

    keyVaultName: bulkUploadFunctionAppKeyVaultName

    operation: 'add'

    policies: [ {

      objectId: bulkUploadFunction.outputs.identityPrincipleId

      permissions: {

        secrets: ['get', 'list']

      }

    }]

  }

}

Here is the code for the access policy bicep module:

@allowed([

  'add'

  'remove'

  'replace'

])

param operation string

@minLength(3)

@maxLength(24)

param keyVaultName string

param policies array

resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {

  name: keyVaultName

  resource keyVaultPolicies 'accessPolicies@2019-09-01' = {

    name: operation

    properties: {

      accessPolicies: [for policy in policies: {

        objectId: policy.objectId

        tenantId: keyVault.properties.tenantId

        permissions: policy.permissions

      }]

    }

  }

}

Any idea why that could be ?
Thanks in advance!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 15,350 Reputation points Moderator
    2024-06-28T10:12:19.52+00:00

    Hi @Dimitar Grozev

    Thank you for post!

    The issue might be that you are using the wrong API version for the Microsoft.KeyVault/vaults resource. In your code, you are using the API version 2022-11-01 for the keyVault resource, but you are using the API version 2019-09-01 for the keyVaultPolicies resource.

    You should use the same API version for both resources. You can update the keyVaultPolicies resource to use the same API version as the keyVault resource by changing the Microsoft.KeyVault/vaults@2019-09-01 to Microsoft.KeyVault/vaults@2022-11-01.
    Also, could you please refer the following document Microsoft.KeyVault vaults/accessPolicies

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.