Create key vault, managed identity, and role assignment

  • Code Sample
Browse code

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Bicep Version

Deploy To Azure Deploy To Azure US Gov Visualize

This template creates a key vault and managed identity, and a role assignment for the managed identity to access the key vault.

For more information about using Bicep to deploy key vaults, see Manage secrets by using Bicep, and for information about using Bicep to deploy role assignments, see Create Azure RBAC resources by using Bicep.

Deletion behavior

When a managed identity is deleted, any role assignments for that managed identity are not automatically deleted. If you try to deploy a new role assignment with the same role assignment ID, the deployment fails because the resource already exists and the principalId can't be modified.

To ensure that each deployment has a unique role assignment ID, you can use the guid() function with a seed value that is based in part on the managed identity's principal ID. However, because Azure Resource Manager requires each resource's name to be available at the beginning of the deployment, you can't use this approach in the same Bicep file that defines the managed identity. This sample uses a Bicep module to work around this issue.

Tags: Microsoft.KeyVault/vaults, Microsoft.ManagedIdentity/userAssignedIdentities, Microsoft.Resources/deployments, Microsoft.Authorization/roleAssignments