Home > Mobile >  Error in ARM/Bicep template using deploymentScript running Azure command
Error in ARM/Bicep template using deploymentScript running Azure command

Time:11-16

I have a Bicep template with a deployment script in it deploymentScript that should execute a certain Azure command.

But when I run my template it returns this error when it runs the deploymentScript:

The service does not have access to '/subscriptions/3449f684-xxxx-xxxxx/resourceGroups/MyResourceGroup/providers/Microsoft.KeyVault/vaults/my-vault-name' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation

I have setup a Managed Identity and added Administrator roles to it for the KeyVault.

enter image description here

In KeyVault I have RBAC enabled. When I check the Access Policies in KeyVault then I do see that the Managed Identity is linked to it.

enter image description here

I would say it's even an overkill of Roles added to it.

Then lastly, my deploymentScript is setup like this:

resource siteCertificatesScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'siteCertificates'
  location: location
  kind: 'AzurePowerShell'
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '/subscriptions/3449f684-xxxx-xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-vault-name': {}
    }
  }
  properties: {
    azPowerShellVersion: '8.3'
    scriptContent: '$Secure_String_Pwd = ConvertTo-SecureString "MyPassword" -AsPlainText -Force; 
         Import-AzKeyVaultCertificate -VaultName "${keyVaultName}" -Name "${resourcePrefix}-cert-signing" -CertificateString "${certSigningBase64}" -Password $Secure_String_Pwd'
    timeout: 'PT1H'
    cleanupPreference: 'OnSuccess'
    retentionInterval: 'P1D'
  }
}

But why does my deploymentScript fails with the message that it doesn't have enough rights?

I don't see what I'm forgetting.

CodePudding user response:

You might need to grant the Microsoft.KeyVault/vaults/deploy/action permission to the identity that is deploying the arm/bicep template. I think the Key Vault Administrator roles does not have this permission:

enter image description here

This is a keyvault provider permission, it is separate from the other microsoft.resources permissions.

Please take a look at: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#grant-deployment-access-to-the-secrets

  • Related