Key Vault access policy inconsistently deployed

Dimitar Grozev 60 Reputation points
2024-06-27T14:51:37.3466667+00:00

Hey all,

I am deploying a key vault and creating an access policy in it to allow a Function App to read secrets from it. From the deployments tab I can see that that access policy module has ran successfully but it's missing in the key vault's access policy tab. Here is the bicep for it:

resource keyVault 'Microsoft.KeyVault/vaults@2022-11-01' = {

  name: keyVaultName

  location: location

  properties: {

    sku: {

      family: 'A'

      name: 'standard'

    }

    accessPolicies:[]

    tenantId: tenantId

  }

}

module KeyVaultAccessPolicy '../keyvault/key-vault-access-policies.bicep' = {

  name: 'KeyVaultAccessPolicy'

  params: {

    keyVaultName: bulkUploadFunctionAppKeyVaultName

    operation: 'add'

    policies: [ {

      objectId: bulkUploadFunction.outputs.identityPrincipleId

      permissions: {

        secrets: ['get', 'list']

      }

    }]

  }

}

Here is the code for the access policy bicep module:

@allowed([

  'add'

  'remove'

  'replace'

])

param operation string

@minLength(3)

@maxLength(24)

param keyVaultName string

param policies array

resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {

  name: keyVaultName

  resource keyVaultPolicies 'accessPolicies@2019-09-01' = {

    name: operation

    properties: {

      accessPolicies: [for policy in policies: {

        objectId: policy.objectId

        tenantId: keyVault.properties.tenantId

        permissions: policy.permissions

      }]

    }

  }

}

Any idea why that could be ?
Thanks in advance!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,173 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh 6,980 Reputation points Microsoft Vendor
    2024-06-28T10:12:19.52+00:00

    Hi @Dimitar Grozev

    Thank you for post!

    The issue might be that you are using the wrong API version for the Microsoft.KeyVault/vaults resource. In your code, you are using the API version 2022-11-01 for the keyVault resource, but you are using the API version 2019-09-01 for the keyVaultPolicies resource.

    You should use the same API version for both resources. You can update the keyVaultPolicies resource to use the same API version as the keyVault resource by changing the Microsoft.KeyVault/vaults@2019-09-01 to Microsoft.KeyVault/vaults@2022-11-01.
    Also, could you please refer the following document Microsoft.KeyVault vaults/accessPolicies

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.