This message was deleted.
# azure
s
This message was deleted.
a
as a note the service connection principle is in the owner role for the subscription that the the keyvault belongs to
here's the code that's creating the keyvault access policy:
private void CreateKeyVaultAccessPolicies(string resourceNamePrefix, WebApp webApp, string vaultResourceGroupName, string vaultName, Pulumi.AzureNative.Provider provider)
{
var webAppId = webApp.Identity.Apply(id => id?.PrincipalId ?? "11111111-1111-1111-1111-111111111111");
var getVaultInvokeArgs = new Pulumi.AzureNative.KeyVault.GetVaultInvokeArgs
{
VaultName = vaultName,
ResourceGroupName = vaultResourceGroupName,
};
var keyVault = Pulumi.AzureNative.KeyVault.GetVault.Invoke(getVaultInvokeArgs, new InvokeOptions { Provider = provider });
var vaultId = keyVault.Apply(v => v.Id);
var clientConfigResult = Output.Create(Pulumi.AzureNative.Authorization.GetClientConfig.InvokeAsync());
var accessPolicyArgs = new Pulumi.Azure.KeyVault.AccessPolicyArgs
{
KeyVaultId = vaultId,
TenantId = clientConfigResult.Apply(c=>c.TenantId),
ObjectId = webAppId,
SecretPermissions =
{
"Get",
"List"
}
};
var accessPolicy = new Pulumi.Azure.KeyVault.AccessPolicy($"{resourceNamePrefix}keyVaultAccessPolicies",accessPolicyArgs);
}
👀 1