Problem
My cloud resources are created via a.bicep file, one of which is a new keyvault into which I can save connection strings from various resources, such as ACR username/password, redis connection string, and so on. A github activities workflow with the action azure/arm-deploy@v1 refers to the.bicep file. I need to be able to access the secrets downstream, thus I’ll need to execute anything that modifies the keyvault policy to allow the service principal I’m using to access the github action workflow get/list permissions. This is what I tried:
- name: set policies
continue-on-error: true
env:
clientId: ${{ secrets.AZURE_CREDENTIALS }}
run: |
az keyvault set-policy -n kv-dev-lightningocr --secret-permissions get list set --spn $clientId
However, as demonstrated in the screenshot below, the $clientId is not entered as expected:
Setting policies directly in the.bicep template is doable, however I’m having trouble doing so because I’m not sure how to substitute the value for the objectId in the template.
resource keyVaultPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2021-06-01-preview' = {
name: '${keyVault.name}/add'
properties: {
accessPolicies: [
{
tenantId: subscription().tenantId
objectId: // how to get the objectId of the service principal that calls the azure deploy action?
permissions: {
keys: []
secrets: [
'get'
'list'
]
certificates: []
}
}
]
}
}
I’ve scoured the Microsoft material, but it’s like hunting for a needle in a haystack, so any particular answers to this very specific query would be greatly appreciated.
Asked by Ahsin Shabbir
Solution #1
Except for those that are associated with Azure resources as a System-Assigned Identity or User-Assigned Identity, it is not feasible to reference Azure AD objects from an ARM template.
To use as an example, A virtual machine’s System-Assigned Identity (SAI) or User-Assigned Identity (UAI):
"[reference(resourceId('Microsoft.Compute/virtualMachines', variables('vmName')),'2019-12-01', 'Full').identity.principalId]",
For now, the only options are to retrieve the Service principal object id through Portal, Azure AD Powershell module, or az CLI, or copy the clientID from the Github Actions environment variable.
Then simply paste it into the bicep template below:
resource keyVaultPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2021-06-01-preview' = {
name: '${keyVault.name}/add'
properties: {
accessPolicies: [
{
tenantId: subscription().tenantId
objectId:// copied from portal, az cli,powershell or environment variable
permissions: {
keys: []
secrets: [
'get'
'list'
]
certificates: []
}
}
]
}
}
The following method of using the environment variable is similarly incorrect.
name: set policies
continue-on-error: true
env:
clientId: ${{ secrets.AZURE_CREDENTIALS }}
run: |
az keyvault set-policy -n kv-dev-lightningocr --secret-permissions get list set --spn $clientId
$secrets.AZURE CREDENTIALS will look like this, and you’re referring to the clientid with the entire Azure credential Environment Variable, which isn’t possible.
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
(...)
}
AZURE CREDENTIALS is a credential variable used to log into Azure, as shown below:
steps:
# checkout the repo
- uses: actions/checkout@v2
- uses: Azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
As a result, you’ll have to hard code it in the Github activities as well:
name: set policies
continue-on-error: true
run: |
az keyvault set-policy -n kv-dev-lightningocr --secret-permissions get list set --spn <ClientID>
Reference:
Use Azure Key Vault secrets in GitHub Actions workflows with a quickstart | Microsoft Docs
Using Azure Pipelines to set the Key Vault Access Policy
Answered by AnsumanBal-MT
Post is based on https://stackoverflow.com/questions/70646417/azure-arm-templates-in-github-actions-keyvault-policies