How to combine Key Vault access policy for AAD application and user-assigned managed identity in single ARM template

Posted on 13.07.2019 by abatishchev

On other day I was exploring how to grant access for a user-assigned managed identity to a key vault. But here’s a more advanced scenario: let’s say legacy code uses an AAD application to access the key vault and modern code uses an identity.

How to grant access to either one or another based on some condition? Turns out it’s quite easy:

{
   "accessPolicies":[
     {
       "tenantId":"[variables('tenantId')]",
       "objectId":"[if(empty(parameters('objectId')), reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('identityName')), variables('idApiVersion')).principalId, parameters('objectId'))]",
       "permissions":{
         "keys":[
           "Get",
           "List"
         ],
         "secrets":[
           "Get",
           "List"
         ],
         "certificates":[
           "Get",
           "List"
         ]
       }
     }
   ]
 }

In this case if objectId is empty (its default value) then it means the identity shall be used.

This entry was posted in Infrastructure and tagged arm, azure key vault, azure managed identity. Bookmark the permalink.

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: