Apply access policies to different resource group #5785
-
|
Hello everyone, My resources are deployed as follow:
I'm not able to add access policies to KeyVault (RG1) using the managed identity DataFactory (RG2). What should be my targetScope in this case? Thank you! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 9 replies
-
|
I would recommend to move away from using accessPolicies all together. There is a newer model, called RBAC. Here is the guide. https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azurepowershell if you are doing a Resource Group (RG) deployment, you don't need any scope (resource group works fine). you can leverage this scope property to reference a keyvault in an alternate RG. https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/VM.bicep#L62 resource KV 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: HubKVName
scope: resourceGroup(HubKVRGName)
} |
Beta Was this translation helpful? Give feedback.
-
|
okay updating comment based on that... you can put the role assignment into a separate Bicep file, then call that as a module in the scope of the RG. |
Beta Was this translation helpful? Give feedback.
-
|
Then I'm getting this nice error :)
|
Beta Was this translation helpful? Give feedback.
-
|
oh yes, makes sense, see the previous comment. |
Beta Was this translation helpful? Give feedback.
-
|
This is the example of using a module to call the role assignment against a resource group. https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/sub-RBAC-ALL.bicep#L80 module RBACRARG 'sub-RBAC-ALL-RA-RG.bicep' = [for (rbac, index) in roleAssignment: if (Enviro != 'G0' && Enviro != 'M0') {
name: replace('dp-rbac-all-ra-${roleInfo.name}-${index}','@','_')
scope: resourceGroup(rbac.DestSubscriptionID,'${rbac.DestPrefix}-${Global.OrgName}-${rbac.DestApp}-RG-${rbac.DestRG}')
params:{
description: roleInfo.name
name: rbac.GUID
roledescription: rbac.RoleName
roleDefinitionId: '${rbac.DestSubscription}/providers/Microsoft.Authorization/roleDefinitions/${rbac.RoleID}'
principalType: rbac.principalType
principalId: providerPath == 'guid' ? roleInfo.name : length(providerPath) == 0 ? rolesLookup[roleInfo.name] : /*
*/ reference('${rbac.DestSubscription}/resourceGroups/${rbac.SourceRG}/providers/${providerPath}/${Deployment}${namePrefix}${roleInfo.Name}',providerAPI).principalId
}
}]You can just use the samples above in that module filename.bicep |
Beta Was this translation helpful? Give feedback.
-
|
I'll try it out thanks. |
Beta Was this translation helpful? Give feedback.
I would recommend to move away from using accessPolicies all together.
There is a newer model, called RBAC.
Here is the guide.
https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azurepowershell
if you are doing a Resource Group (RG) deployment, you don't need any scope (resource group works fine).
you can leverage this scope property to reference a keyvault in an alternate RG.
https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/bicep/VM.bicep#L62