https://pulumi.com
Join Slack
This message was deleted.
# azure
s
This message was deleted.
a
as a note the service connection principle is in the owner role for the subscription that the the keyvault belongs to
here's the code that's creating the keyvault access policy: 
private void CreateKeyVaultAccessPolicies(string resourceNamePrefix, WebApp webApp, string vaultResourceGroupName, string vaultName, Pulumi.AzureNative.Provider provider)
{
var webAppId = webApp.Identity.Apply(id => id?.PrincipalId ?? "11111111-1111-1111-1111-111111111111");
var getVaultInvokeArgs = new Pulumi.AzureNative.KeyVault.GetVaultInvokeArgs
{
VaultName = vaultName,
ResourceGroupName = vaultResourceGroupName,
};
var keyVault = Pulumi.AzureNative.KeyVault.GetVault.Invoke(getVaultInvokeArgs, new InvokeOptions { Provider = provider });
var vaultId = keyVault.Apply(v => v.Id);
var clientConfigResult = Output.Create(Pulumi.AzureNative.Authorization.GetClientConfig.InvokeAsync());
var accessPolicyArgs = new Pulumi.Azure.KeyVault.AccessPolicyArgs
{
KeyVaultId = vaultId,
TenantId = clientConfigResult.Apply(c=>c.TenantId),
ObjectId = webAppId,
SecretPermissions =
{
"Get",
"List"
}
};
var accessPolicy = new Pulumi.Azure.KeyVault.AccessPolicy($"{resourceNamePrefix}keyVaultAccessPolicies",accessPolicyArgs);
}
👀 1
9 Views
Open in Slack
PreviousNext
Powered by

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Powered by