How to combine Key Vault access policy for AAD application and user-assigned managed identity in single ARM template

On other day I was exploring how to grant access for a user-assigned managed identity to a key vault. But here’s a more advanced scenario: let’s say legacy code uses an AAD application to access the key vault and modern code uses an identity.

How to grant access to either one or another based on some condition? Turns out it’s quite easy:

{
   "accessPolicies":[
     {
       "tenantId":"[variables('tenantId')]",
       "objectId":"[if(empty(parameters('objectId')), reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('identityName')), variables('idApiVersion')).principalId, parameters('objectId'))]",
       "permissions":{
         "keys":[
           "Get",
           "List"
         ],
         "secrets":[
           "Get",
           "List"
         ],
         "certificates":[
           "Get",
           "List"
         ]
       }
     }
   ]
 }

In this case if objectId is empty (its default value) then it means the identity shall be used.

This entry was posted in Programming and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.