CODEWITHSUNDEEP
azureazure-resource-managerazure-keyvaultazure-bicep
ARH
ARH

Reputation: 1716

Unknow KeyVault access policy from Bicep

I am trying to add KeyVault and access policy from Bicep, but it is adding unknown in the access policy. If I add the same from the portal it is correctly added.

param systemLabel string = 'developer-3'

param vaultName string = 'developer-3'
param location string = resourceGroup().location
param sku string = 'Standard'
param tenantId string = 'tenantId'
param objectId string = 'objectId'

@description('Tags that our resources need')
param tags object = {
  displayName: 'keyvault-${toLower(systemLabel)}'
}

param enabledForDeployment bool = true
param enabledForTemplateDeployment bool = true
param enabledForDiskEncryption bool = true
param enableRbacAuthorization bool = false
param softDeleteRetentionInDays int = 90

resource keyvault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
  name: vaultName
  location: location
  tags: {
    DisplayName: tags.displayName
  }
  properties: {
    tenantId: tenantId
    sku: {
      family: 'A'
      name: sku
    }
    accessPolicies: []
    enabledForDeployment: enabledForDeployment
    enabledForDiskEncryption: enabledForDiskEncryption
    enabledForTemplateDeployment: enabledForTemplateDeployment
    softDeleteRetentionInDays: softDeleteRetentionInDays
    enableRbacAuthorization: enableRbacAuthorization
  }
}

resource accessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2021-11-01-preview' = {
  name: 'add'
  parent: keyvault
  properties: {
    accessPolicies: [
      {
        tenantId: tenantId
        objectId: objectId
        permissions: {
          secrets: [
            'get'
            'list'
          ]
        }
      }
    ]
  }
}

The aim is to add both the keyvault and access policy from the Bicep.

Upvotes: 0

Views: 669

Answers (1)

ARH
ARH

Reputation: 1716

@Thomas was right. I was using the wrong objectId though I copied the objectId from app registration service principle.

However, for anyone facing this issue. Add access policy to your keyvault from the portal (GUI) and then look for Export template in Automation section. The right object Id is there in the template.

Upvotes: 1

Related Questions