Hi I m trying to create an access policy for an existing key Pulumi Community #azure

Hi, I'm trying to create an access policy for an e...

abundant-potato-97520

01/20/2022, 2:31 PM

Hi, I'm trying to create an access policy for an existing keyvault. I'm using GetVault.Invoke from azure native using a different provider (our keyvaults are on a different subscription to the one I'm creating webapps on etc.) and then using the original azure package to create the access policy and everything works nicely when I pulumi up from my command line. I can find the access policies using resources.azure.com. However, when running the stack via azure pipelines this step fails claiming that it can't find the resource group that the keyvault belongs to:

retrieving Key Vault "xxxxx-xxx-xx" (Resource Group "xxxxxx-xxxxx-xx"): keyvault.VaultsClient#Get: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="ResourceGroupNotFound" Message="Resource group 'xxxxxx-xxxxx-xx' could not be found."

anyone an ideas why this is?

abundant-potato-97520

01/20/2022, 2:36 PM

as a note the service connection principle is in the owner role for the subscription that the the keyvault belongs to

abundant-potato-97520

01/20/2022, 2:43 PM

here's the code that's creating the keyvault access policy:

private void CreateKeyVaultAccessPolicies(string resourceNamePrefix, WebApp webApp, string vaultResourceGroupName, string vaultName, Pulumi.AzureNative.Provider provider)

var webAppId = webApp.Identity.Apply(id => id?.PrincipalId ?? "11111111-1111-1111-1111-111111111111");

var getVaultInvokeArgs = new Pulumi.AzureNative.KeyVault.GetVaultInvokeArgs

VaultName = vaultName,

ResourceGroupName = vaultResourceGroupName,

};

var keyVault = Pulumi.AzureNative.KeyVault.GetVault.Invoke(getVaultInvokeArgs, new InvokeOptions { Provider = provider });

var vaultId = keyVault.Apply(v => v.Id);

var clientConfigResult = Output.Create(Pulumi.AzureNative.Authorization.GetClientConfig.InvokeAsync());

var accessPolicyArgs = new Pulumi.Azure.KeyVault.AccessPolicyArgs

KeyVaultId = vaultId,

TenantId = clientConfigResult.Apply(c=>c.TenantId),

ObjectId = webAppId,

SecretPermissions =

"Get",

"List"

};

var accessPolicy = new Pulumi.Azure.KeyVault.AccessPolicy($"{resourceNamePrefix}keyVaultAccessPolicies",accessPolicyArgs);

👀 1

6 Views

Open in Slack

Previous Next