Bicep template system assigned keyvault secrets ignored for Microsoft.App/jobs

[filipreft]

Adding key vault secret refs to bicep template for azure container jobs are completely ignored and not added to the resource when using 'System' as identity, (tested with multiple bicep template versions).

If I manually add the system assigned identity to the key vault, as a secret user, after the container job has been created and redeploy, the secret is then registered.

Also tested with user assigned identity and 'key vault secret user' permissions and that works.

resource containerJob 'Microsoft.App/jobs@2023-05-02-preview' = {
  name: '${prefixes.companyNameShort}-${prefixes.containerJob}-${containerJobName}-${environment}'
  location: location
  properties: {
    environmentId: containerAppEnvironment.id
    configuration: {
      secrets: [
        // works
        {
          name: 'test'
          value: 'test'
        }
        // doesnt work
        {
          name: 'secretpass'
          keyVaultUrl: '${keyVault.properties.vaultUri}secrets/${serviceBusScaleRule.connectionStringSecretName}'
          identity: 'System'
        }
      ]
    }
    ...
  }
  identity: {
    type: 'SystemAssigned, UserAssigned'
    userAssignedIdentities: {
      '${acrPullIdentity.id}': {}
      '${serviceBusDataOwnerIdentity.id}': {}
    }
  }
}

[ahelland]

The system assigned identity isn't created until after the container has been spun up, so could this be a chicken and egg problem just like having to use user assigned identities for the image pull?

[alex-frankel]

@ahelland is right. You might need to redeploy the resource inside a module which adds the object that uses the System Assigned MI.