This message was deleted Pulumi Community #azure

Join Slack

This message was deleted.

# azure

sparse-intern-71089

01/31/2022, 9:07 AM

This message was deleted.

fresh-pilot-59899

01/31/2022, 1:13 PM

could you paste the code you use to create the resources?

fresh-pilot-59899

01/31/2022, 1:16 PM

this code worked fine:

Copy code

const secret = new azure.keyvault.Secret("deployment-zip", {
    keyVaultId: vault.id,
    value: azure.storage.signedBlobReadUrl(blob, storageAccount),
});
const secretUri = pulumi.interpolate`${vault.vaultUri}secrets/${secret.name}/${secret.version}`;

// The application hosted in App Service
const app = new azure.appservice.AppService("app", {
    resourceGroupName: resourceGroup.name,
    appServicePlanId: appServicePlan.id,

    // A system-assigned managed service identity to be used for authentication and authorization to the SQL Database and the Blob Storage
    identity: {
        type: "SystemAssigned",
    },

    appSettings: {
        // Website is deployed from a URL read from the Key Vault
        "WEBSITE_RUN_FROM_ZIP": pulumi.interpolate`@Microsoft.KeyVault(SecretUri=${secretUri})`,

        ...
    },

    ...
});

const principalId = app.identity.apply(id => id.principalId || "11111111-1111-1111-1111-111111111111");

// Grant App Service access to KV secrets
const policy = new azure.keyvault.AccessPolicy("app-policy", {
    keyVaultId: vault.id,
    tenantId: tenantId,
    objectId: principalId,
    secretPermissions: ["get"],
});

fresh-pilot-59899

01/31/2022, 1:16 PM

based on the example: https://github.com/pulumi/examples/tree/master/classic-azure-py-msi-keyvault-rbac

swift-hamburger-98290

01/31/2022, 1:57 PM

Thanks Alex. So our application gets some secrets directly from the KeyVault. Something like:

Copy code

new azure.appservice.AppService("app", {
    resourceGroupName: rg.name,
    appServicePlanId: plan.id,
    identity: {
        type: "SystemAssigned",
    },
    appSettings: {
        "vault": vault.id,
        ...
    },
    ...
});

new azure.authorization.Assignment("asg", {
    roleDefinitionName: "Key Vault Secrets User",
    ...
});

The permissions are correct, but the app may start (does it happen always?) before the

azure.authorization.Assignment

is created, meaning that the app won't be able to read from the KeyVault. So it is only a timing issue. Something like a restart mechanism on some

AppServices

would fix the problem, which is actually what we do on the pipeline after the

pulumi up

, but it is of course not ideal

fresh-pilot-59899

01/31/2022, 2:22 PM

ok you are using RBAC for that

fresh-pilot-59899

01/31/2022, 2:22 PM

it seems to me like the chicken and the egg problem due to usage of SystemAssigned Identity

fresh-pilot-59899

01/31/2022, 2:23 PM

Maybe you can try using a UserAssigned Identity which you can create before the App and do the Assignment also before the App creation

fresh-pilot-59899

01/31/2022, 2:23 PM

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

swift-hamburger-98290

01/31/2022, 3:41 PM

Yes, the chicken/egg problem. It is not really a cyclic dependency in the sense that we can declare the infrastructure properly, and the end result is correct. But along the way there are some inconsistencies. That might work yes. We will have a look. Thank you

👍 1

9 Views

Open in Slack

Previous Next