Problem
I am deploying a couple of web apps – as the web apps build I need to be able to assign the system identity of each web app to an RABC role for a KeyVault in another resource group that has my certificates.
The plan is that once the web apps are live, I’ll use the certificates from the second key vault to create custom domains.
I’m attempting something similar to this.
resource certVault'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: keyVaultName
properties: {
principalId: AppService.outputs.webAppSystemID
roleDefinitionId: roleid
}
}
Update: I tried this, but it didn’t work.
resource certKeyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: 'certbotkv423452'
scope: resourceGroup(subscription().subscriptionId, 'rg-cert-keyvault' )
}
resource roleAssignSecretsUser 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [ for i in range(0, length(webAppSettings.webApps)): {
name: guid(subscription().id, toLower('app-${webAppSettings.webApps[i].name}-${resourceGroupNameSuffix}'), roleDefinitionId,'-0${(i + 1)}')
scope: certKeyVault
properties: {
principalId: AppService[i].outputs.webAppSystemID
principalType: 'ServicePrincipal'
roleDefinitionId: roleDefinitionId
}
}]
So, how do I assign the role using the system-assigned ID from the webapp?
Thanks
Asked by JacksWastedLife
Solution #1
On the module with RBAC assignment, you must set scope (your second snippet).
The scope of the module should be the same as the scope of the existing key vault resource.
Answered by Miq
Post is based on https://stackoverflow.com/questions/70703357/how-to-assign-rbac-to-keyvault-in-another-resourcegroup