How to set access policy on Key Vault in another subscription aka How to deploy to resource group in another subscription using ARM template?

Posted on 28.02.2020 by abatishchev

The model for my Service Fabric infrastructure consists of two major parts:

  • Data Center (think Azure region)
  • Scale Unit (think Service Fabric cluster and its child resources)

But today due to the limitation around AAD first party application we decided to add one more level on top of it:

  • Global secrets (think 1PA token encryption/decryption certificate)

What means the Key Vault extension now needs to download yet another certificate from a global Key Vault. It will use User-Assigned Identity to authorize on this Key Vault. What means the Key Vault needs to have the appropriate access policies. But here’s the challenge:

  • Subscription 1
    • Resource Group 1 (Global Secrets)
      • Global Key Vault
  • Subscription 2
    • Resource Group 2 (DC)
      • Regional Key Vault
    • Resource Group 3 (SU)
      • Service Fabric cluster
      • VMSS
        • Key Vault extension runs here

What means the ARM template for UAID needs somehow set the access policy for in on a Key Vault not just in another resource group but in another subscription altogether. Here’s how to do that:

{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "uaidName": {
      "type": "string"
    },
    "globalSecretsSubcriptionId": {
      "type": "string"
    },
    "globalSecretsResourceGroupName": {
      "type": "string"
    },
    "globalSecretsKvName": {
      "type": "string"
    }
  },
  "variables": {
    "apiVersion": "2019-09-01",
    "idApiVersion": "2018-11-30",
    "kvApiVersion": "2019-09-01",
    "tenantId": "[subscription().tenantId]",
    "uaidRef": "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uaidName'))]"
  },
  "resources": [
    {
      "name": "[concat('KeyVault-Global-', parameters('uaidName'))]",
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "[variables('apiVersion')]",
      "subscriptionId": "[parameters('globalSecretsSubscriptionId')]",
      "resourceGroup": "[parameters('globalSecretsResourceGroupName')]",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "type": "Microsoft.KeyVault/vaults/accessPolicies",
              "name": "[concat(parameters('globalSecretsKvName'), '/add')]",
              "apiVersion": "[variables('kvApiVersion')]",
              "properties": {
                "accessPolicies": [
                  {
                    "tenantId": "[variables('tenantId')]",
                    "objectId": "[reference(variables('uaidRef'), variables('idApiVersion')).principalId]",
                    "permissions": {
                      "keys": [
                      ],
                      "secrets": [
                        "Get"
                      ],
                      "certificates": [
                        "Get"
                      ]
                    }
                  }
                ]
              }
            }
          ]
        }
      }
    }
  ]
}
This entry was posted in Infrastructure and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.