Reputation: 55
Adding a ADF permissions to key vault in ARM
Basically, I'm trying to add the ability for a data factory to be able to get see secrets from a key vault via the ARM key-vault template so it's applied on a release.
However, the issue comes when I trying to release the project I get an error saying the data factory is not in the same resource group (which was kind of expected), however, I can't see a way of passing in the resource group in order for the function to see the correct resource group where the data factory is located.
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(concat('Microsoft.DataFactory/factories/', parameters('DataFactoryName')),'2018-06-01','Full').identity.principalId]",
"permissions": {
"secrets": [
"Get"
]
}
}
Can anyone help
Upvotes: 0
Views: 639
Answers (1)
Reputation: 42043
Add the parameter OtherGroupName in the parameters, the value of OtherGroupName needs to be the resource group name of your datafactory.
"OtherGroupName":{
"type": "String"
}
Then use the accessPolicies like below:
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(ResourceId(parameters('OtherGroupName'), 'Microsoft.DataFactory/factories', parameters('DataFactoryName')),'2018-06-01','Full').identity.principalId]",
"permissions": {
"keys": [],
"secrets": [
"Get"
],
"certificates": []
}
}
]
My complete sample:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_joykeyvault12_name": {
"type": "String"
},
"DataFactoryName": {
"type": "String"
},
"OtherGroupName":{
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[parameters('vaults_joykeyvault12_name')]",
"location": "eastus",
"tags": {},
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(ResourceId(parameters('OtherGroupName'), 'Microsoft.DataFactory/factories', parameters('DataFactoryName')),'2018-06-01','Full').identity.principalId]",
"permissions": {
"keys": [],
"secrets": [
"Get"
],
"certificates": []
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true
}
}
]
}
I test it with powershell New-AzResourceGroupDeployment, it works fine.
Check in the portal:
Upvotes: 2
Related Questions
- Adding a Key Vault Access Policy to an Existing Key Vault via ARM
- ARM KeyVault Access Policies Conditional Add
- Create Key Vault certificate using ARM template
- Azure ARM template add deployer object id to key vault access policies
- Use Key Vault references for App Service via ARM template
- Azure Key Vault access from ARM Template
- How to grant VM access to Key Vault in the same ARM template
- ARM template Key vault access policy to group instead of identity principle
- Add a secret to Vault through ARM without knowing it
- Deploy azure key vault secret using arm template gives error