Key Vault API connector ARM deployment of Standard Logic App

admin.TBailey 21 Reputation points
2022-07-05T14:16:10.53+00:00

Failing at the final hurdle when running IaC deployments for Logics Apps (Standard).

I have a standard logic app where a number of work flows have a 'Get secret' task from a key vault. The following is true of the setup:

  • The logic app, key vault and the key vault API connector are in the same resource group
  • The logic app is a contributor in the resource group
  • The logic app has access policies for Get, List and Set in the key vault.

As I am just working this out, I am currently deploying:

  • The logic app using the logic app extension through VSCode. The connections.json file has the correct connectionRuntimeURL as the logic app:

connections.json:

![217758-image.png]2

Screen shot connection UI in protal:

217776-image.png

After deploying the app through VSCode, I think run a manual ARM template deployment through the UI for the connection.

Here is the template (with some name redcations):

"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",  
    "contentVersion": "1.0.0.0",  
    "parameters": {  
        "logicAppSystemAssignedIdentityTenantId": {  
            "defaultValue": "14xxxxxxxxxxxxxxxxxxxxxxxxxxf",  
            "type": "String"  
        },  
        "logicAppSystemAssignedIdentityObjectId": {  
            "type": "String"  
        },  
        "connections_keyvault_name": {  
            "defaultValue": "keyvault",  
            "type": "String"  
        },  
        "keyvault_name": {  
            "defaultValue": "kv-datahub-dev",  
            "type": "String"  
        },  
        "location": {  
            "defaultValue": "uksouth",  
            "type": "String"  
        }  
    },  
    "variables": {},  
    "resources": [  
        {  
            "type": "Microsoft.Web/connections",  
            "apiVersion": "2016-06-01",  
            "name": "[parameters('connections_keyvault_name')]",  
            "location": "[parameters('location')]",  
            "kind": "V2",  
            "properties": {  
                "displayName": "hub-key-vault",  
                "statuses": [  
                    {  
                        "status": "Ready"  
                    }  
                ],  
                "parameterValueType": "Alternative",  
                "alternativeParameterValues": {  
                    "vaultName": "[parameters('keyvault_name')]"  
                },  
                "createdTime": "2022-07-01T14:08:48.8022575Z",  
                "changedTime": "2022-07-01T15:12:36.3050611Z",  
                "api": {  
                    "name": "[parameters('connections_keyvault_name')]",  
                    "displayName": "Azure Key Vault",  
                    "description": "Azure Key Vault is a service to securely store and access secrets.",  
                    "iconUri": "[concat('https://connectoricons-prod.azureedge.net/releases/v1.0.1574/1.0.1574.2782/', parameters('connections_keyvault_name'), '/icon.png')]",  
                    "brandColor": "#0079d6",  
                    "id": "[concat('/subscriptions/6xxxxxxxxxxxxxxxxxxxxxxx7/providers/Microsoft.Web/locations/uksouth/managedApis/', parameters('connections_keyvault_name'))]",  
                    "type": "Microsoft.Web/locations/managedApis"  
                },  
                "testLinks": []  
            }  
        },  
        {  
            "type": "Microsoft.Web/connections/accessPolicies",  
            "apiVersion": "2016-06-01",  
            "name": "[concat(parameters('connections_keyvault_name'),'/',parameters('logicAppSystemAssignedIdentityObjectId'))]",  
            "location": "[parameters('location')]",  
            "dependsOn": [  
                "[resourceId('Microsoft.Web/connections', parameters('connections_keyvault_name'))]"  
            ],  
            "properties": {  
                "principal": {  
                    "type": "ActiveDirectory",  
                    "identity": {  
                        "tenantId": "[parameters('logicAppSystemAssignedIdentityTenantId')]",  
                        "objectId": "[parameters('logicAppSystemAssignedIdentityObjectId')]"  
                    }  
                }  
            }  
        }  
    ]  
}  

After deployment, the connection is showing as connected:

![217794-image.png]5

Any the authorisation correctly showing Managed Identity (again, the logic app has been granted access to the key vault & access policies in the KV):

217729-image.png

However, in the designer despite showing a valid API connection, no secrets are listed:

217659-image.png

When running a test of the workflow, the error generated refers to a missing access token.

{  
  "status": 401,  
  "message": "The connection does not contain an access token. Please edit the connection and login.",  
  "error": {  
    "message": "The connection does not contain an access token. Please edit the connection and login."  
  },  
  "source": "keyvault-uks.azconn-uks-002.p.azurewebsites.net"  
}  

Now given access is granted via Managed Identity, at this point I am stumped and could do with a steer - I imagine it's something in my connections ARM template.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,700 questions
0 comments No comments
{count} votes

Accepted answer
  1. Kamlesh Kumar 3,861 Reputation points
    2022-07-05T15:21:52.45+00:00

    Hi @admin.TBailey ,

    Thank you for asking this question on the Microsoft Q&A Platform.

    Kindly confirm if you have enable the access to Azure Resource Manager for template deployment, please refer the below screenshot to check and confirm.

    217822-image.png

    And check the setting in Networking tab as well, Is access allowed for all network or restricted to selected ?

    217787-image.png

    Finally please check the Connection Properties in connections.json file. If it is missing then add it.

    Regards,
    Kamlesh Kumar
    BizTalk Techie

    Please don't forget to click on 205836-130616-image.png or upvote 205759-130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is How

    Want a reminder to come back and check responses? Here is how to subscribe to a Notification

    If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators


1 additional answer

Sort by: Most helpful
  1. admin.TBailey 21 Reputation points
    2022-07-05T16:52:03.07+00:00

    @Kamlesh Kumar - it was managed identity, the issue I saw from your docs is that I needed to specify the connectionProperties in connections.json, so I added the following object to the connections.json file:

    "connectionProperties": {  
                    "authentication": {   
                        "audience": "https://vault.azure.net",  
                        "type": "ManagedServiceIdentity"  
                    }  
                }  
    

    This resolved the issue and the key vault activities are connecting successfully post deployment.

    Thanks for your help.