Hi, I am trying to add access policies to an existing key vault in azure from pulumi like described here https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/accesspolicies?pivots=deployment-language-bicep but it doesn't seem like pulumi has anything equivalent to this? https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/

What language are you using? The access policies are set on the key vault itself according to the docs you linked. I have only used it on new key vaults, but it should work if you have an existing key vault as well. Run the import first and after that you should be able to add the access policies you want

typescript

Since the azure native provider is built on the OpenAPI spec Microsoft publishes, supporting access policies would require custom work. We have an open issue: https://github.com/pulumi/pulumi-azure-native/issues/594 For the time being, the best recommendation is to use the bridged (TF-based) provider for the policies, and you can use the native provider for everything else.

Thank you for the response @melodic-tomato-39005

@fancy-artist-45287 what is not working if you add access policies using the accessPolicies property, from azure_native provider: https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault/#accesspolicyentry ? I mean on my side this is how i add new policies for a keyvault, and didn't see an issue so far.

when running

pulumi up

multiple times it sometimes removes and adds policies even tho nothing has changed in the code as it seems to get confused after a

pulumi refresh

Ok but if you maintain kevault only using azure-native?

then I cant add accesspolicies after the keyvault has been created, can only supply access policies when it is created as mentioned here by Thomas Kappler

ok, i will give it a try to import an existing kv and then try to add policies and see how this will work out

Given this sudo code you can see my problem

const kv = new keyvault();

const account = new storageaccont();
const secret = new secret(kv.id, account.connectionstring);

const app = new appservice();
const setting = new appsetting(app.id, secret.id);

const policy = new accesspolicy(kv.id, app.id, ['Get']);

so your target is to map probably a file share to an web app service using the access key which will be stored in kv and from which the web app service will take it?

yeah among many other things

I didn't see any issue with having the access policies being managed under kv with azure native:

const userAssignedIdentity = new azure_native.managedidentity.UserAssignedIdentity("userAssignedIdentity", {
    location: "westeurope",
    resourceGroupName: "1111111111111111111111111111111111",
    resourceName: "1111111111111111111111111111111111",
});

const kv1 = new azure_native.keyvault.Vault("kv1", {
    location: "westeurope",
    properties: {
        accessPolicies: [
        {
            tenantId: "1111111111111111111111111111111111",
            objectId: "1111111111111111111111111111111111",
            "permissions": {
              "certificates": [
                "Get",
              ],
              "keys": [
                "Get",
              ],
              "secrets": [
                "Get",
              ]
            }
          },{
            tenantId: "1111111111111111111111111111111111",
            objectId: userAssignedIdentity.clientId,
            "permissions": {
              "certificates": [
                "Get",
                "List",
              ],
              "keys": [
                "Get",
                "List",
              ],
              "secrets": [
                "Get",
                "List",
              ]
            }
          },],
        enablePurgeProtection: true,
        enableRbacAuthorization: false,
        enableSoftDelete: true,
        enabledForDeployment: false,
        enabledForDiskEncryption: false,
        enabledForTemplateDeployment: false,

and you added policies with azure classic afterwards?🤔

no, but what is the point to use it with azure classic? since i can maintain it with azure native...i suppose this part is missing to me

well since i dont know all access policies i need up front when creating the keyvault I need to add them afterwards? and azure native does not have that capability?

ok, but in my example i have created from the portal a keyvault, without any policy, and i've imported it into a pulumi project, and from the polumi project i started to add new policies, using the accessPolicies property

yeah that should probably work

So under the accessPolicies properties, you add additional ones:

So lets go through this step by step 1. Create Database 2. Create WebApp 3. Create KeyVault a. With secret Database connection string b. With access policy for WebApp 4. Add secret key vault reference from KeyVault to WebApp Step 4 can't be done before both the KeyVault and WebApp has been created, and I dont know of a way to add WebApp settings after it has been created. The other approach is 1. Create KeyVault 2. Create Database 3. Create Secret in KeyVault with Database Connectionstring 4. Create WebApp a. With secret we just created as app setting 5. Create AccessPolicy for WebApp to KeyVault Step 5 can't be done in Azure Native but can be done in Azure Classic

As long as you have resource references between them, i don't see why you will not be able to have option 1. Because pulumi is smart enough to know which resource needs to be created first, based on the references you do between resources. For accessing the keyvault from appservice i would recommend to use user assigned identity instead of system-assigned-identity