azureazure-resource-managerazure-keyvaultazure-bicep

A keyvault created with access policy using BICEP creates compound identity


I'm creating infrastructure in Azure using BICEP for our enterprise application. Our application uses key vaults to store and recall secrets using a service principal (application).

When I create the KV in BICEP and associate the service principal with it, it is created as a compound identity in the KV access policies. I need it to added as a 'application', which is what happens when I add it manually via the Azure Portal.

How can I add my service principal as an application and not a compound identity?

resource accessPolicydev 'Microsoft.KeyVault/vaults/accessPolicies@2023-07-01' = {
  parent: keyvaultExisting
  name: 'add'
  properties: {
    accessPolicies: [
      {
        tenantId: tenantId
        objectId: objectId
        applicationId: applicationId
        permissions: {
          secrets: [
            'all'
          ]
          certificates: [
            'all'
          ]
          keys: [
            'all'
          ]
        }        
      }    
    ]
  }
}

portal


Solution

  • ApplicationId should be specified for on-behalf flow as per documentation so you shouldn't specify it in the access policy.

    Also the objectid should be the objectid of the service principal not the objectid of the app registration.

    this should work:

    provider microsoftGraph
    
    param applicationId string  
    param keyVaulName string
    param tenantId string = subscription().tenantId
    
    // Reference to the service principal
    resource servicePrincipal 'Microsoft.Graph/servicePrincipals@v1.0' existing = {
      appId: applicationId
    }
    
    // Reference to key vault
    resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
      name: keyVaulName
    }
    
    // Create access policy
    resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2023-07-01' = {
      parent: keyVault
      name: 'add'
      properties: {
        accessPolicies: [
          {
            tenantId: tenantId
            objectId: servicePrincipal.id
            permissions: {
              secrets: [
                'all'
              ]
              certificates: [
                'all'
              ]
              keys: [
                'all'
              ]
            }        
          }    
        ]
      }
    }