How to combine Key Vault access policy for AAD application and user-assigned managed identity in single ARM template | Alexander Batishchev's Blog

How to combine Key Vault access policy for AAD application and user-assigned managed identity in single ARM template

Posted on 13.07.2019 by abatishchev

On other day I was exploring how to grant access for a user-assigned managed identity to a key vault. But here’s a more advanced scenario: let’s say legacy code uses an AAD application to access the key vault and modern code uses an identity.

How to grant access to either one or another based on some condition? Turns out it’s quite easy:

{
   "accessPolicies":[
     {
       "tenantId":"[variables('tenantId')]",
       "objectId":"[if(empty(parameters('objectId')), reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('identityName')), variables('idApiVersion')).principalId, parameters('objectId'))]",
       "permissions":{
         "keys":[
           "Get",
           "List"
         ],
         "secrets":[
           "Get",
           "List"
         ],
         "certificates":[
           "Get",
           "List"
         ]
       }
     }
   ]
 }

In this case if objectId is empty (its default value) then it means the identity shall be used.

This entry was posted in Infrastructure and tagged arm, azure key vault, azure managed identity. Bookmark the permalink.

Leave a comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.