I need help with updating my Pulumi program to create an Azure Key Vault resource and to grant my web app (app service) the right to access that key vault. I'm following this tutorial: https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app In that tutorial, the existence of a key vault is a prerequisite. With Pulumi, I'd use this Azure Native object: https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault/. It's not clear what the best "ObjectId" to use is for the initial vault creation. Is "ObjectId" only needed when granting a specific resource access to an existing vault? The next relevant portion of that tutorial is creating a managed identity on the web app:

az webapp identity assign --name "<your-webapp-name>" --resource-group "myResourceGroup"

Best I can tell, I should set the "Identity" property in my Pulumi code that creates the web app (https://www.pulumi.com/registry/packages/azure-native/api-docs/web/webapp/). If I set the identity type to "system", presumably I don't have to specify the UserAssignedIdentities? And the Identity property on the resulting WebApp object would contain the principal ID needed in the next step of teh tutorial? After that, the tutorial uses this command to grant the web app (via its managed identity) access to the key vault:

az keyvault set-policy --name "<your-keyvault-name>" --object-id "<principalId>" --secret-permissions get list

To do that with Pulumi, do I use the same KeyVault.Vault type that's used to initially create the key vault? And by specifying a different object ID (the principal ID) and set of permissions, the web app will have the access it needs? Is using the same vault name sufficient to ensure that I'm referencing the same key vault resource as in its initial creation? One last thing... The first secret I need to set is a json object. This Azure doc: https://learn.microsoft.com/en-us/cli/azure/keyvault/secret?view=azure-cli-latest#az-keyvault-secret-set has this capability:

az keyvault secret set --name MySecretName --vault-name MyKeyVault --file /path/to/file --encoding MyEncoding

i.e. setting the secret directly from a file, which is what my json secret resides in. I don't see anything like that in the Pulumi docs for "Secret": https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/secret/ Is that pretty much up to the Pulumi developer to mimic? Thanks. Sorry for the length.

I think this repository I created can answer some of your questions: https://github.com/TechWatching/AzureFunctionSQLBindings It creates an Azure Key Vault with a secret in it, a Function App (configuration is quite similar to a Web App) with a system assigned identity that has the correct role on the key vault

Great example @millions-journalist-34868! Thanks