https://pulumi.com logo
Title
l

lemon-chef-20322

06/22/2021, 11:20 PM
Hey there. We're using Pulumi to manage hundreds of Azure resources and so far it's been amazing. Thanks for such an awesome product. Just recently we hit an issue though that is blocking us and we can't figure it out. We are using Pulumi to provision an Azure KeyVault and some associated Access Policies. The issue is with the access policies. Provisioning access policies for "users" works just fine but when setting an access policy for an "app" things break down. Seems Azure does not recognize the provisioning as being an app and instead classifies it as unknown (see screenshot). The access policy does not work in this mode. Doing the same operation via the az command works just fine.
g

gentle-diamond-70147

06/23/2021, 5:13 AM
Are you using azure or azure-native? One thing to try would be to
pulumi import ...
an existing KeyVault and see what properties it prints out. But ultimately this sounds like a bug - would you mind opening a github issue?
f

famous-leather-94346

06/26/2021, 10:47 AM
Have you used azure-native (it is quite compatible with the azure "legacy") ? We uses keyvault policies there without issues.
l

lemon-chef-20322

07/04/2021, 2:20 AM
@famous-leather-94346, yes, we are using azure-native. Are you creating policies for AD
Applications
? Policies for
Users
work fine.
f

famous-leather-94346

07/04/2021, 1:12 PM
@lemon-chef-20322 Do you create links for policies via service principals? I don't think direct link to application works properly. Ie:
properties=keyvault.VaultPropertiesArgs(
            access_policies=[
                keyvault.AccessPolicyEntryArgs(
                    object_id=service_principal.id, # <-- service principal link
                    permissions=keyvault.PermissionsArgs(
                        keys=[
                            keyvault.KeyPermissions.GET,
                            keyvault.KeyPermissions.CREATE,
                            keyvault.KeyPermissions.DELETE,
                            keyvault.KeyPermissions.PURGE,
                        ],
                        secrets=[
                            keyvault.SecretPermissions.SET,
                            keyvault.SecretPermissions.DELETE,
                            keyvault.SecretPermissions.PURGE,
                            keyvault.SecretPermissions.LIST,
                        ],
                    ),
                    tenant_id=tenant_id,
                ),
...