How can I add an access policy to a Key Vault which is in another resource group in bicep?

Question

I have already noted the suggestions provided in this answer. Adding an access policy to a Key Vault which is in another resource group

It says one suggestion is to try hardcoding the full resource id of the keyvault into the access policy step. When I tried this:

resource Keyvault 'Microsoft.KeyVault/vaults@2021-04-01-preview' existing =  {
  name: KeyvaultName
  scope: resourceGroup(ResourceGroup)
}



resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2021-04-01-preview' = {
  name: '${Keyvault.id}/add'
  properties: {
    accessPolicies: [
      {
        tenantId: subscription().tenantId
        objectId: UamiObjectId
        permissions: {
          keys: []
          secrets: ['get']
          certificates: []
        }
      }
    ]
  }
}

It fails with

Error: Code=InvalidTemplate; Message=Deployment template validation failed: 'The template resource '/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.KeyVault/vaults/KeyVaultName/add' for type 'Microsoft.KeyVault/vaults/accessPolicies' has incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name.

The next suggestion is to try including the subscription Id as the scope, but this doesn't seem to be allowed as validation is failing with ":

Error BCP037: The property "scope" is not allowed on objects of type "Microsoft.KeyVault/vaults/accessPolicies". Permissible properties include "asserts", "dependsOn".

Is this possible? I am able to reference the existing keyvault just fine. I am even able to copy secrets from it elsewhere in my bicep files. Why am I not able to add an access policy to it just because it is in a different resource group?

Answer 1

you should treat keyvault and accessPolicy as a whole part, and then using bicep module.

In one word, Bicep module needed here if you are deploy to another scope with child resource.

note: both option1 and option2 in keyvault.bicep file works, choose one you want.

keyvault.bicep

param KeyvaultName string
param UamiObjectId string

resource Keyvault 'Microsoft.KeyVault/vaults@2021-04-01-preview' existing =  {
  name: KeyvaultName
}

// option 1
resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2021-04-01-preview' = {
  name: '${KeyvaultName}/add'
  properties: {
    accessPolicies: [
      {
        tenantId: subscription().tenantId
        objectId: UamiObjectId
        permissions: {
          keys: []
          secrets: ['get']
          certificates: []
        }
      }
    ]
  }
}

// //option 2
// resource accessPolicy1 'Microsoft.KeyVault/vaults/accessPolicies@2021-04-01-preview' = {
//   name: 'add'
//   parent: Keyvault
//   properties: {
//     accessPolicies: [
//       {
//         tenantId: subscription().tenantId
//         objectId: UamiObjectId1
//         permissions: {
//           keys: []
//           secrets: ['get']
//           certificates: []
//         }
//       }
//     ]
//   }
// }

main.bicep

param keyvaultRgName string
param keyvaultName string
param uamiObjectId string

module dataCollectionRuleAssociateModule './keyvault.bicep' = {
  scope: resourceGroup(keyvaultRgName)
  name: 'testDeploy'
  params: {
    KeyvaultName: keyvaultName
    UamiObjectId: uamiObjectId
  }
}

deploy.ps1

$deploymentRgName = "rg1"
$keyVaultRgName = "rg2"
$keyvaultName = "xxx"
$uamiObjectId = "1111111-33333-4d9f-bb80-2222222"
##
$param = @{
    keyvaultRgName = $keyVaultRgName
    keyvaultName   = $keyvaultName
    uamiObjectId   = $uamiObjectId
}


New-AzResourceGroupDeployment -Name "keyvaultest" -ResourceGroupName $deploymentRgName -TemplateFile ".\main.bicep" -TemplateParameterObject $param