I have a Bicep template with a deployment script in it deploymentScript that should execute a certain Azure command.
But when I run my template it returns this error when it runs the deploymentScript:
The service does not have access to '/subscriptions/3449f684-xxxx-xxxxx/resourceGroups/MyResourceGroup/providers/Microsoft.KeyVault/vaults/my-vault-name' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation
I have setup a Managed Identity and added Administrator roles to it for the KeyVault.
In KeyVault I have RBAC enabled. When I check the Access Policies in KeyVault then I do see that the Managed Identity is linked to it.
I would say it's even an overkill of Roles added to it.
Then lastly, my deploymentScript is setup like this:
resource siteCertificatesScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
name: 'siteCertificates'
location: location
kind: 'AzurePowerShell'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'/subscriptions/3449f684-xxxx-xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-vault-name': {}
}
}
properties: {
azPowerShellVersion: '8.3'
scriptContent: '$Secure_String_Pwd = ConvertTo-SecureString "MyPassword" -AsPlainText -Force;
Import-AzKeyVaultCertificate -VaultName "${keyVaultName}" -Name "${resourcePrefix}-cert-signing" -CertificateString "${certSigningBase64}" -Password $Secure_String_Pwd'
timeout: 'PT1H'
cleanupPreference: 'OnSuccess'
retentionInterval: 'P1D'
}
}
But why does my deploymentScript fails with the message that it doesn't have enough rights?
I don't see what I'm forgetting.
CodePudding user response:
You might need to grant the Microsoft.KeyVault/vaults/deploy/action
permission to the identity that is deploying the arm/bicep template. I think the Key Vault Administrator roles does not have this permission:
This is a keyvault provider permission, it is separate from the other microsoft.resources
permissions.
Please take a look at: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#grant-deployment-access-to-the-secrets