How to add Access Policy to a Keyvault in different Resource Group through ARM Templates

Question

I have 3 apps sharing 1 keyvault. So i decided to create 4 RGs. 3 RGs for 3 apps and 1 RG for keyvault and other common resources.

This is all working fine. I can create 3 apps through their own ARM Templates and Keyvault through it's own ARM Template.

So when app resources gets provisioned then i want to add accesspolicy for that app in keyvault through ARM Templates.

   {
      "apiVersion": "2018-05-01",
      "name": "accesspolicies_deployment",
      "resourceGroup": "Common-RG",
      "type": "Microsoft.Resources/deployments",
      "dependsOn": [],
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {},
          "variables": {},
          "resources": [
            {
              "type": "Microsoft.KeyVault/vaults/accessPolicies",
              "name": "[concat('kvdevwus', '/add')]",
              "apiVersion": "2018-02-14",
              "properties": {
                "accessPolicies": [
                  {
                    "tenantId": "[reference(variables('website'),'2018-02-01','Full').identity.tenantId]",
                    "objectId": "[reference(variables('website'),'2018-02-01','Full').identity.principalId]",
                    "permissions": {
                      "keys": [
                        "all"
                      ],
                      "secrets": [
                        "all"
                      ],
                      "certificates": [
                        "all"
                      ],
                      "storage": [
                        "all"
                      ]
                    }
                  }
                ]
              }
            }
          ],
          "outputs": {
            "principalId": {
              "type": "string",
              "value": "[reference(variables('website'),'2018-02-01','Full').identity.principalId]"
            }
          }
        }
      }
    }

I'm using above template in the apps template. But getting Resource Not Found error.

Is the design itself is wrong or am i missing anything?

Answer 1

Using a nested template allows you to specify the resource group the nested template should be deployed to, which can be different than the resource group used for the template that contains the nested template.

Answer 2

I think you are missing the "dependsOn": [] in your accesspolicies_deployment resource. I have the same set-up as you were I have key vault in a common resource group and my web apps in different resource.

In my ARM template that creates website, I also added accesspolicies_deployment but added "dependsOn": [webapp01] to ensure that website it created first and the identity created before creating the keyvalut access policy

Answer 3

Would have to see more of the code to know for sure, but I suspect you're not going to be able to do what you want with an inline deployment, you have to use a linked template. We're working on fixing that, but it's not available yet.