03/13/2021, 11:42 AM
Hi folks, I used to do this with the classic Azure provider to give the provisioned app access to a central KeyVault:
// Get a reference to our centralized key vault service which lives
// in another resource group. The key vault service itself is not created or maintained
// by this program.
var keyVault =
	await GetKeyVault.InvokeAsync(
		new GetKeyVaultArgs()
			ResourceGroupName = centralResourceGroupName,
			Name = keyVaultName

// Create an access policy in the key vault to allow the function app to read
// keys, secrets and certificates.
var keyVaultAccessPolicy = new AccessPolicy(
	new AccessPolicyArgs()
		TenantId = app.Identity.Apply(x => x.TenantId!),
		ObjectId = app.Identity.Apply(x => x.PrincipalId!),
		KeyPermissions = { "get", "sign" },
		SecretPermissions = { "get" },
		KeyVaultId = keyVault.Id
I can’t figure out how to create key vault access policies with the native provider (like, I can’t even find any resource type for it in the KeyVault namespace) - can someone give me a pointer?
(To clarify, it’s clear how to create an access policy in a new key vault, but not how to create one for an existing vault.)


03/13/2021, 12:21 PM
Azure API is bizarre there, so we can’t map it automatically. Tracked in
👍 1


03/13/2021, 2:49 PM
Yeah, to be honest this was enough for me to switch to rbac 😄