01/20/2022, 2:31 PM
Hi, I'm trying to create an access policy for an existing keyvault. I'm using GetVault.Invoke from azure native using a different provider (our keyvaults are on a different subscription to the one I'm creating webapps on etc.) and then using the original azure package to create the access policy and everything works nicely when I pulumi up from my command line. I can find the access policies using However, when running the stack via azure pipelines this step fails claiming that it can't find the resource group that the keyvault belongs to:
retrieving Key Vault "xxxxx-xxx-xx" (Resource Group "xxxxxx-xxxxx-xx"): keyvault.VaultsClient#Get: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="ResourceGroupNotFound" Message="Resource group 'xxxxxx-xxxxx-xx' could not be found."
anyone an ideas why this is?
as a note the service connection principle is in the owner role for the subscription that the the keyvault belongs to
here's the code that's creating the keyvault access policy:
private void CreateKeyVaultAccessPolicies(string resourceNamePrefix, WebApp webApp, string vaultResourceGroupName, string vaultName, Pulumi.AzureNative.Provider provider)
var webAppId = webApp.Identity.Apply(id => id?.PrincipalId ?? "11111111-1111-1111-1111-111111111111");
var getVaultInvokeArgs = new Pulumi.AzureNative.KeyVault.GetVaultInvokeArgs
VaultName = vaultName,
ResourceGroupName = vaultResourceGroupName,
var keyVault = Pulumi.AzureNative.KeyVault.GetVault.Invoke(getVaultInvokeArgs, new InvokeOptions { Provider = provider });
var vaultId = keyVault.Apply(v => v.Id);
var clientConfigResult = Output.Create(Pulumi.AzureNative.Authorization.GetClientConfig.InvokeAsync());
var accessPolicyArgs = new Pulumi.Azure.KeyVault.AccessPolicyArgs
KeyVaultId = vaultId,
TenantId = clientConfigResult.Apply(c=>c.TenantId),
ObjectId = webAppId,
SecretPermissions =
var accessPolicy = new Pulumi.Azure.KeyVault.AccessPolicy($"{resourceNamePrefix}keyVaultAccessPolicies",accessPolicyArgs);
👀 1