How to grant VM access to Key Vault in the same ARM template

Question

I'm attempting to create an ARM-template capable of provisioning a VM AND a Key Vault. The VM identity is set to type "SystemAssigned". See code snippet below:

        ...
        "name": "[variables('VM1')]",
        "type": "Microsoft.Compute/virtualMachines",
        "identity": { 
            "type": "SystemAssigned"
        },
        "apiVersion": "2019-07-01",
        ...

I want to be able to give the VM permissions to access the secrets in the Vault. For this is need to retrieve the tenantID and ObjectID for accessPolicies. For the tenantID I'm using:

"tenantId": "[subscription().tenantId]",

Is there a similar way to reference the ObjectID for a VM that is being created in the same template?

Thanks!

Murray Foxcroft · Accepted Answer

You need to use a reference to get to the Managed Service Identity's object id (Principal Id) of the VM to assign access to KeyVault. See the documentation here.

I see KeyVault wants the TenantID and the Object ID.

The tenant you should already have in the template "tenantId": "[subscription().tenantId]"

and the ObjectID is the PrincipalId as shown in the docs linked and example below.

{
    "apiVersion": "2017-09-01",
    "type": "Microsoft.Authorization/roleAssignments",
    "name": "[parameters('rbacGuid')]",
    "properties": {
        "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
        "principalId": "[reference(variables('vmResourceId'), '2017-12-01', 'Full').identity.principalId]",
        "scope": "[resourceGroup().id]"
    },
     "dependsOn": [
        "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
    ]
}

How to grant VM access to Key Vault in the same ARM template

Answers (1)

Related Questions