How to add Access Policies to Key Vault, when adding App Service? I need "Principal ID" of added App Service. #3747

motycak · 2021-07-26T10:23:29Z

motycak
Jul 26, 2021

How to add Access Policies to Key Vault, when adding App Service? I need "Principal ID" of added App Service.

I'm trying to get a Principal ID. But I get error on deployment:

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InvalidTemplate","message":"Unable to process template language expressions for resource '/subscriptions/xxxxxxx-yyyyyy-xxxxxxxx/resourceGroups/my-resource-group-name/providers/Microsoft.KeyVault/vaults/my-key-vault-name/accessPolicies/add' at line '1' and column '2267'. 'The language expression property 'identity' doesn't exist, available properties are 'apiVersion, location, tags, kind, properties, deploymentResourceLineInfo, subscriptionId, resourceGroupName, scope, resourceId, referenceApiVersion, condition, isConditionTrue, isTemplateResource, isAction, provisioningOperation'.'"}]}

My code:

param baseName string
param deploymentEnvironment string
param appServicePlanId string
param appInsightsInstrumentationKey string
param aspnetEnvironment string
param appConfigurationEndpoint string
param service string = ''
param location string = resourceGroup().location
param tags object = {}

resource apiService 'Microsoft.Web/sites@2018-11-01' = {
  name: '${baseName}-${deploymentEnvironment}-${service}-api'
  location: location
  tags: tags
  properties: {
    serverFarmId: appServicePlanId
    httpsOnly: true
    clientAffinityEnabled: false
    siteConfig: {
      netFrameworkVersion: 'v4.0'
      http20Enabled: true
      alwaysOn: true
      webSocketsEnabled: false
      ftpsState: 'Disabled'

      appSettings: [
        {
          name: 'ASPNETCORE_ENVIRONMENT'
          value: aspnetEnvironment
        }
        {
          name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
          value: appInsightsInstrumentationKey
        }
        {
          name: 'AppConfig:Endpoint'
          value: appConfigurationEndpoint
        }
        {
          name: 'WEBSITE_ENABLE_SYNC_UPDATE_SITE'
          value: 'true'
        }
        {
          name: 'WEBSITE_RUN_FROM_PACKAGE'
          value: '1'
        }
      ]
    }
  }
}

resource keyVault 'Microsoft.KeyVault/vaults@2021-04-01-preview' existing = {
  name: 'prefix-${deploymentEnvironment}-kv'
}

var appKeyVaultPermissions = {
  keys: [
    'get'
    'list'
  ]
  secrets: [
    'get'
    'delete'
  ]
  certificates: []
  storage: []
}

resource keyVault_accessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
  name: '${keyVault.name}/add'
  properties: {
    accessPolicies: [
      {
        tenantId: subscription().tenantId
        objectId: apiService.identity.principalId
        permissions: appKeyVaultPermissions
      }
    ]
  }
}

Answered by brwilkinson

Jul 27, 2021

Adding either User assigned or System assigned managed identity to the Web site is an optional configuration.

To use User assigned you pre-create the identity then assign it, to use System assigned you simply enable it.

https://docs.microsoft.com/en-us/azure/templates/microsoft.web/staticsites?tabs=bicep#ManagedServiceIdentity

Since you are not providing that configuration item when you create your website that property is not available to read back.

Syntax:

  identity: {
    type: 'string'
    userAssignedIdentities: {}
  }

The mimimum you need for system assigned is

  identity: {
    type: 'SystemAssigned'
}

Otherwise for user assigned or mixed

  identity: {
    type: 'SystemAssigned, U…

View full answer

brwilkinson · 2021-07-27T03:19:05Z

brwilkinson
Jul 27, 2021
Maintainer

Adding either User assigned or System assigned managed identity to the Web site is an optional configuration.

To use User assigned you pre-create the identity then assign it, to use System assigned you simply enable it.

https://docs.microsoft.com/en-us/azure/templates/microsoft.web/staticsites?tabs=bicep#ManagedServiceIdentity

Since you are not providing that configuration item when you create your website that property is not available to read back.

Syntax:

  identity: {
    type: 'string'
    userAssignedIdentities: {}
  }

The mimimum you need for system assigned is

  identity: {
    type: 'SystemAssigned'
}

Otherwise for user assigned or mixed

  identity: {
    type: 'SystemAssigned, UserAssigned'
    userAssignedIdentities: {
      '${resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/', 'myuaiStorageAccountOperator')}': {}
    }
  }

here is another view, in this case I enable both system and user identities, using a lookup table from different identities in the variables section to enable/assign 1 or more user identities:
https://github.com/brwilkinson/AzureDeploymentFramework/blob/2083f3021d86d9865453a1772e9dd7edc28734ec/ADF/bicep/AppServiceFunction.bicep#L98

Once you have that you should them be able to read the principalid back in order to assign to the access policy.

1 reply

motycak Jul 27, 2021
Author

It works. Thanks. @brwilkinson

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to add Access Policies to Key Vault, when adding App Service? I need "Principal ID" of added App Service. #3747

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

How to add Access Policies to Key Vault, when adding App Service? I need "Principal ID" of added App Service. #3747

motycak Jul 26, 2021

Replies: 1 comment · 1 reply

brwilkinson Jul 27, 2021 Maintainer

motycak Jul 27, 2021 Author

motycak
Jul 26, 2021

Replies: 1 comment 1 reply

brwilkinson
Jul 27, 2021
Maintainer

motycak Jul 27, 2021
Author