Set key vault access policies for multiple object ids using parameter (array type) via ARM Template

Question

Is it possible to set key vault access policies for multiple object ids using a parameter of array type via ARM Template?

    "policies": {
            "value": [
              {
                "objectId": "<object-id-1>",
                "permissions": ["get", "set", "list"]
              },
              {
                "objectId": "<object-id-2>",
                "permissions": ["get", "set", "list"]
              }
            ]
          }

I need to set key vault access policies to two object ids as shown above. This is what I have tried:

I see the following error:

[error]InvalidTemplate: Deployment template validation failed: 'The resource 'Microsoft.KeyVault/vaults/keyvaultname/accessPolicies/add' is defined multiple times in a template.

So what's your question? Any error?

Joy Wang
– Joy Wang

2020-06-18 07:47:10 +00:00
Commented Jun 18, 2020 at 7:47 — Joy Wang
– Joy Wang, Commented Jun 18, 2020 at 7:47
Yes updated the question. Please check the description.

user989988
– user989988

2020-06-18 08:09:25 +00:00
Commented Jun 18, 2020 at 8:09 — user989988
– user989988, Commented Jun 18, 2020 at 8:09

Stringfellow · Accepted Answer · 2020-06-20 01:54:36Z

Looks like you are almost there. Here is a modification of what you posted that I have working.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVaultName": {
      "type": "string"
    },
    "policies": {
      "type": "array",
      "metadata": {
        "description": "Array of object ids and permissions."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "name": "[concat(parameters('keyVaultName'), '/add')]",
      "apiVersion": "2019-09-01",
      "properties": {
        "copy": [
          {
            "name": "accessPolicies",
            "count": "[length(parameters('policies'))]",
            "input": {
              "tenantId": "[parameters('policies')[copyIndex('accessPolicies')].tenantId]",
              "objectId": "[parameters('policies')[copyIndex('accessPolicies')].objectId]",
              "permissions": {
                "keys": "[parameters('policies')[copyIndex('accessPolicies')].keys]",
                "secrets": "[parameters('policies')[copyIndex('accessPolicies')].secrets]",
                "certificates": "[parameters('policies')[copyIndex('accessPolicies')].certificates]"
              }
            }
          }
        ]
      }
    }
  ]
}

Here is the PowerShell variable that I splatted on the deployment call.

$parameters = @{
  'keyVaultName' = 'kv62443460'
  'policies' = @(
    @{
        'tenantId' = '<GUID>'
        'objectId' = '<GUID>'
        'keys' = @()
        'secrets' = @('get')
        'certificates' = @()
    },
    @{
        'tenantId' = '<GUID>'
        'objectId' = '<GUID>'
        'keys' = @()
        'secrets' = @()
        'certificates' = @('list')
    }
  )
}

Aravindh Kathir · Accepted Answer · 2022-07-31 23:23:44Z

0

For anyone who wants to retrieve the ObjectId dynamically, can try as below.

"variables": {
  "functionAppName": [
  {
    "appName": "[concat('ResourceName-',parameters('environment'))]"
  }    
]
}
...
{
  "type": "Microsoft.KeyVault/vaults/accessPolicies",
  "name": "[concat(variables('keyVaultName'), '/add')]",
  "apiVersion": "2021-11-01-preview",
  "properties": {
    "copy": [
      {
        "name": "accessPolicies",
        "count": "[length(variables('functionAppName'))]",
        "input": {
          "tenantId": "[subscription().tenantId]",
          "objectId": "[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')[copyIndex('accessPolicies')].appName),'2019-08-01', 'full').identity.principalId]",
          "permissions": {
            "secrets": [ "get", "list" ]
          }
        }
      }
    ]
  }
}

answered Jul 31, 2022 at 23:23

Aravindh Kathir

312 bronze badges

1 Comment

Community Over a year ago

As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.

Collectives™ on Stack Overflow

Set key vault access policies for multiple object ids using parameter (array type) via ARM Template

[error]InvalidTemplate: Deployment template validation failed: 'The resource 'Microsoft.KeyVault/vaults/keyvaultname/accessPolicies/add' is defined multiple times in a template.

2 Answers 2

Comments

1 Comment

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

[error]InvalidTemplate: Deployment template validation failed: 'The resource 'Microsoft.KeyVault/vaults/keyvaultname/accessPolicies/add' is defined multiple times in a template.

2 Answers 2

Comments

1 Comment

Your Answer

Sign up or log in

Post as a guest

Related