Reputation: 323
How can I use an Azure ARM template to deploy VMs into Resource Group "A" and reference an existing key vault in Resource Group "B"?
I've scoured the 'net for help, but there's next to nothing on this specific issue. My use case is that I need to create an ARM template that adds an access policy to an existing Azure key vault in one resource group, but deploy VMs into a second one.
I can deploy VMs, assign Managed Service Identities (MSIs) to them, and add those MSIs to an accessPolicy for a key vault that already exists, all the same ARM template. The catch is, the key vault has to be in the same resource group as the VMs I'm deploying.
When I try to deploy VMs into a different resource group using the same key vault as before, I'm getting one of several errors depending on how I structure the ARM template:
If I reference the Key Vault as a resource in the ARM template, I get the error message "the name (keyvault-name) is already in use (Code: VaultAlreadyExists)
If I instead just try to use the key vault accessPolicy as a top-level resource, I get an error stating "Can not perform requested operation on nested resource. Parent resource keyvault-name not found" (Code: ParentResourceNotFound)
Really puzzling, because when I try the second method where I'm launching VMs into the same Resource Group as the VMs, it works just fine.
Any help is greatly appreciated!
Cheers,
-Maashu
Upvotes: 3
Views: 679
Answers (1)
Reputation: 8737
You'll need to perform one part of your deployment in a nested template - and then use the subscription/resourceGroup properties on that deployment to match the resourceGroup you want to deploy to (e.g. A or B).
For example (assume your KeyVault is in resourceGroup B): 1) deploy your VMs to group A (and create the MSIs) 2) in the same template add a nested deployment to group B (where KV is) after the MSIs are provisioned
See this: https://learn.microsoft.com/en-us/azure/templates/microsoft.resources/deployments
Note the subscription/resourceGroup properties on the resource - this will allow you to deploy into a different resourceGroup and even a different subscription if needed.
Upvotes: 0
Related Questions
- How to add Access Policy to a Keyvault in different Resource Group through ARM Templates
- Azure ARM JSON template - Add VM to Recovery Services Vault in different Resource Group
- Azure ARM Template - Create KeyVault Secrets in Keyvault in different Resource Group
- Creating multiple keyvault secrets in same arm template deployment
- azure arm template deploying azure key vault extension to a VM
- How to dynamically create Azure KeyVault reference in ARM template?
- Use Key Vault references for App Service via ARM template
- Azure Key Vault access from ARM Template
- How to grant VM access to Key Vault in the same ARM template
- Why is it not possible to create an Azure Key vault key with ARM templates?