https://pulumi.com logo
Title
p

powerful-football-81694

03/13/2021, 11:42 AM
Hi folks, I used to do this with the classic Azure provider to give the provisioned app access to a central KeyVault:
// Get a reference to our centralized key vault service which lives
// in another resource group. The key vault service itself is not created or maintained
// by this program.
var keyVault =
	await GetKeyVault.InvokeAsync(
		new GetKeyVaultArgs()
		{
			ResourceGroupName = centralResourceGroupName,
			Name = keyVaultName
		}).ConfigureAwait(false);

// Create an access policy in the key vault to allow the function app to read
// keys, secrets and certificates.
var keyVaultAccessPolicy = new AccessPolicy(
	$"orgflow-licensing-{stackName}-keyVaultPolicy",
	new AccessPolicyArgs()
	{
		TenantId = app.Identity.Apply(x => x.TenantId!),
		ObjectId = app.Identity.Apply(x => x.PrincipalId!),
		KeyPermissions = { "get", "sign" },
		SecretPermissions = { "get" },
		KeyVaultId = keyVault.Id
	});
I can’t figure out how to create key vault access policies with the native provider (like, I can’t even find any resource type for it in the KeyVault namespace) - can someone give me a pointer?
(To clarify, it’s clear how to create an access policy in a new key vault, but not how to create one for an existing vault.)
t

tall-librarian-49374

03/13/2021, 12:21 PM
Azure API is bizarre there, so we can’t map it automatically. Tracked in https://github.com/pulumi/pulumi-azure-native/issues/594
👍 1
b

better-shampoo-48884

03/13/2021, 2:49 PM
Yeah, to be honest this was enough for me to switch to rbac 😄