Using a certificate from a keyvault in azure app service in an azure managed application deployment

Question

I am creating an Azure Managed Application that will be made available in the azure marketplace for deployment into customer's tenants. Among other things, the managed resource group includes a keyvault and an app service. In the keyvault, there is an ssl certificate that I want to use for Azure AppService.

I have created a user assigned managed identity for the appservice and granted it access in the keyvault's access policy. The bit that I am stuck with is that I also need to grant 'get' permissions for certificates and secrets to the service principal for the Microsoft Azure App Service resource provider. (docs here: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Caccesspolicy#import-a-certificate-from-key-vault) In order to do this, I need the objectid (required property for the access policy) of the service principal which is different in every customer tenant. The known information I have is the applicationId for the Microsoft Azure App Service resource provider abfa0a7c-a6b6-4736-8310-5855508787cd which is consistent accross azure. I'm stumped as to how to proceed here. Does anyone have any inspiration?

resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: keyVaultName
  location: location
  properties: {
    enabledForDeployment: false
    enabledForDiskEncryption: false
    enabledForTemplateDeployment: true
    enableRbacAuthorization: false
    tenantId: tenantId
    enableSoftDelete: true
    softDeleteRetentionInDays: 90
    sku: keyVaultSku
    networkAcls: {
      defaultAction: 'Allow'
      bypass: 'AzureServices'
    }
    accessPolicies:[
       {
         objectId: keyVaultReferenceIdentity.properties.principalId
         permissions: {
           certificates: [
             'get', 'list', 'getissuers', 'listissuers', 'update', 'create', 'import'
           ]
           keys: [
             'get', 'list', 'decrypt', 'unwrapKey', 'verify', 'getrotationpolicy', 'update', 'create', 'import'
           ]
           secrets: [
             'get', 'list', 'set'
           ]
         }
         tenantId: tenantId
       }
       {
         objectId: //what can I put here for the Microsoft Azure App Service resource provider?
         permissions:{
           certificates: ['get']
           secrets:['get']
         }
         tenantId: tenantId
       }
     ]
  }
}

resource keyVaultReferenceIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: keyVaultReferenceIdentityName
  location: location
}

Answer 1

I came to the conclusion that this is not a trivial problem to solve and that I could reach my desired end result much quicker and more easily by using an App Service Managed Certificate and thus eliminating the need for App Service to get certificates from the KV. This worked great. Not a terribly satisfying answer so if anyone comes up with something better, I'd love to hear it.

Answer 2

Bicep now supports Microsoft Graph (see documentation) so you could get a reference to the app service resource provider and grab the object id like that:

extension microsoftGraphV1

...

// Get a reference to app service resource provider
resource appServiceResourceProvider 'Microsoft.Graph/servicePrincipals@v1.0' existing = {
  appId: 'abfa0a7c-a6b6-4736-8310-5855508787cd'
}

resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: keyVaultName
  location: location
  properties: {
    ...
    accessPolicies:[
       ...
       {
         objectId: appServiceResourceProvider.id
         permissions:{
           certificates: ['get']
           secrets:['get']
         }
         tenantId: tenantId
       }
     ]
  }
}