Assign RBAC role to Key Vault in other Resource Group (same subscription) #4793
-
|
I have a key vault containing certificates in another resource group, in the same subscription. I need to assign the This is what I have so far: roleAssignments.bicep param appGatewayFrontendIdentityName string
param ingressControllerPodIdentityName string
param keyVaultName string
param keyVaultResourceGroup string
resource appGatewayFrontendIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = {
name: appGatewayFrontendIdentityName
}
resource ingressControllerPodIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = {
name: ingressControllerPodIdentityName
}
// Get existing key vault that contains the app gateway and ingress certificates
resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: keyVaultName
scope: resourceGroup(keyVaultResourceGroup)
}
// Assign the Key Vault Secrets User Role to the App Gateway Frontend Managed Identity
resource appGatewayFrontendIdentityRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: guid('Key Vault Secrets User', appGatewayFrontendIdentity.id, subscription().subscriptionId)
scope: keyVault
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
principalId: appGatewayFrontendIdentity.properties.principalId
principalType: 'ServicePrincipal'
}
}
// Assign the Key Vault Secrets User role to the ingress controller pod managed identity, this allows our ingress controller to pull certificates
resource ingressControllerPodIdentityRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: guid('Key Vault Secrets User', ingressControllerPodIdentity.id, subscription().subscriptionId)
scope: keyVault
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
principalId: ingressControllerPodIdentity.properties.principalId
principalType: 'ServicePrincipal'
}
}main.bicep module keyVaultRoleAssignments 'modules/keyVaultRoleAssignments.bicep' = {
name: 'keyvault-roleassignments-${environmentName}-${resourceNameSuffix}'
scope: resourceGroup(keyVaultResourceGroup)
params: {
appGatewayFrontendIdentityName: appGatewayFrontendIdentityName
ingressControllerPodIdentityName: ingressControllerPodIdentityName
}
}It doesn't like the Can anyone assist please? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 11 replies
-
|
given that your Module is already going to be executing this deployment in the 'keyVaultResourceGroup', you can remove that line with the // Get existing key vault that contains the app gateway and ingress certificates
resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: keyVaultName
// scope: resourceGroup(keyVaultResourceGroup)
} |
Beta Was this translation helpful? Give feedback.
-
|
That's a good point, thanks. When I do the deploy, the error is that the identities can't be found in that resource group (which is correct), but I'm struggling to assign those roles to the existing key vault. I'm probably missing something obvious, but I just can't see it at the moment 😐 |
Beta Was this translation helpful? Give feedback.
-
|
I see, did you try adding the scope to the Another way to get the objectId that you need is to pull it directly from AKS.
|
Beta Was this translation helpful? Give feedback.
-
|
Try: scope: resourceGroup('otherresourcegroup') |
Beta Was this translation helpful? Give feedback.
-
|
here are the docs
|
Beta Was this translation helpful? Give feedback.
-
|
I'll give that a go and report back, thanks again! |
Beta Was this translation helpful? Give feedback.
-
|
@brwilkinson sorry for not getting back to you sooner - that worked for me: Module @description('The name of the resource group where the managed identities are located')
param identityResourceGroupName string
@description('The name of the application gateway managed identity')
param appGatewayFrontendIdentityName string
@description('The name of the ingress controller pod managed identity')
param ingressControllerPodIdentityName string
@description('The name of the key vault where the application gateway and ingress controller certificates are located')
param keyVaultName string
resource appGatewayFrontendIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = {
scope: resourceGroup(identityResourceGroupName)
name: appGatewayFrontendIdentityName
}
resource ingressControllerPodIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = {
scope: resourceGroup(identityResourceGroupName)
name: ingressControllerPodIdentityName
}
resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: keyVaultName
}
// Assign the Key Vault Secrets User role to the application gateway managed identity. This allows pulling frontend and backend certificates
resource appGatewayFrontendIdentityRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: guid('Key Vault Secrets User', appGatewayFrontendIdentity.id, subscription().subscriptionId)
scope: keyVault
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
principalId: appGatewayFrontendIdentity.properties.principalId
principalType: 'ServicePrincipal'
}
}
// Assign the Key Vault Secrets User role to the ingress controller pod managed identity. This allows our ingress controller to pull certificates
resource ingressControllerPodIdentityRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: guid('Key Vault Secrets User', ingressControllerPodIdentity.id, subscription().subscriptionId)
scope: keyVault
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
principalId: ingressControllerPodIdentity.properties.principalId
principalType: 'ServicePrincipal'
}
}Main module keyVaultRoleAssignments 'modules/keyVaultRoleAssignments.bicep' = {
scope: resourceGroup(keyVaultResourceGroup)
name: 'keyvault-roleassignments-${environmentName}-${resourceNameSuffix}'
params: {
ingressControllerPodIdentityName: ingressControllerPodIdentity.name
identityResourceGroupName: resourceGroup().name
keyVaultName: keyVaultName
appGatewayFrontendIdentityName: appGatewayFrontendIdentity.name
}
}Thanks for your help with this - you've been a great help on some of my bicep issues recently, so really appreciate it! 😃 |
Beta Was this translation helpful? Give feedback.
-
|
looks good, thanks for the update. . . We all learn together 👍 |
Beta Was this translation helpful? Give feedback.
I see, did you try adding the scope to the
userAssignedIdentitiesexisting resource reference?Another way to get the objectId that you need is to pull it directly from AKS.
https://github.com/brwilkinson/AzureDeploymentFramework/blob/53492685ef6b86070d97cc46d40efb7946f95508/ADF/bicep/AKS-AKS-RBAC.bicep#L44
AKS.properties.addonProfiles.IngressApplicationGateway.identity.objectId