Hi, I'm trying to create an access policy for an e...
# azure
Hi, I'm trying to create an access policy for an existing keyvault. I'm using GetVault.Invoke from azure native using a different provider (our keyvaults are on a different subscription to the one I'm creating webapps on etc.) and then using the original azure package to create the access policy and everything works nicely when I pulumi up from my command line. I can find the access policies using resources.azure.com. However, when running the stack via azure pipelines this step fails claiming that it can't find the resource group that the keyvault belongs to:
retrieving Key Vault "xxxxx-xxx-xx" (Resource Group "xxxxxx-xxxxx-xx"): keyvault.VaultsClient#Get: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="ResourceGroupNotFound" Message="Resource group 'xxxxxx-xxxxx-xx' could not be found."
anyone an ideas why this is?
as a note the service connection principle is in the owner role for the subscription that the the keyvault belongs to
here's the code that's creating the keyvault access policy:
private void CreateKeyVaultAccessPolicies(string resourceNamePrefix, WebApp webApp, string vaultResourceGroupName, string vaultName, Pulumi.AzureNative.Provider provider)
var webAppId = webApp.Identity.Apply(id => id?.PrincipalId ?? "11111111-1111-1111-1111-111111111111");
var getVaultInvokeArgs = new Pulumi.AzureNative.KeyVault.GetVaultInvokeArgs
VaultName = vaultName,
ResourceGroupName = vaultResourceGroupName,
var keyVault = Pulumi.AzureNative.KeyVault.GetVault.Invoke(getVaultInvokeArgs, new InvokeOptions { Provider = provider });
var vaultId = keyVault.Apply(v => v.Id);
var clientConfigResult = Output.Create(Pulumi.AzureNative.Authorization.GetClientConfig.InvokeAsync());
var accessPolicyArgs = new Pulumi.Azure.KeyVault.AccessPolicyArgs
KeyVaultId = vaultId,
TenantId = clientConfigResult.Apply(c=>c.TenantId),
ObjectId = webAppId,
SecretPermissions =
var accessPolicy = new Pulumi.Azure.KeyVault.AccessPolicy($"{resourceNamePrefix}keyVaultAccessPolicies",accessPolicyArgs);
👀 1