Coder Perfect

How can I assign RBAC to another resourceGroup’s KeyVault?


I am deploying a couple of web apps – as the web apps build I need to be able to assign the system identity of each web app to an RABC role for a KeyVault in another resource group that has my certificates.

The plan is that once the web apps are live, I’ll use the certificates from the second key vault to create custom domains.

I’m attempting something similar to this.

resource certVault'Microsoft.Authorization/roleAssignments@2020-04-01-preview'   = {
  name: keyVaultName
  properties: {
    principalId: AppService.outputs.webAppSystemID
    roleDefinitionId: roleid

Update: I tried this, but it didn’t work.

resource certKeyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
  name: 'certbotkv423452'
  scope: resourceGroup(subscription().subscriptionId, 'rg-cert-keyvault' )

resource roleAssignSecretsUser 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [ for i in range(0, length(webAppSettings.webApps)): {
  name: guid(subscription().id, toLower('app-${webAppSettings.webApps[i].name}-${resourceGroupNameSuffix}'), roleDefinitionId,'-0${(i + 1)}')
  scope: certKeyVault
  properties: {
    principalId: AppService[i].outputs.webAppSystemID
    principalType: 'ServicePrincipal'
    roleDefinitionId: roleDefinitionId

So, how do I assign the role using the system-assigned ID from the webapp?


Asked by JacksWastedLife

Solution #1

On the module with RBAC assignment, you must set scope (your second snippet).

The scope of the module should be the same as the scope of the existing key vault resource.

Answered by Miq

Post is based on