admin管理员组文章数量:1315982
I am creating an Azure Managed Application that will be made available in the azure marketplace for deployment into customer's tenants. Among other things, the managed resource group includes a keyvault and an app service. In the keyvault, there is an ssl certificate that I want to use for Azure AppService.
I have created a user assigned managed identity for the appservice and granted it access in the keyvault's access policy. The bit that I am stuck with is that I also need to grant 'get' permissions for certificates and secrets to the service principal for the Microsoft Azure App Service resource provider. (docs here: #import-a-certificate-from-key-vault) In order to do this, I need the objectid (required property for the access policy) of the service principal which is different in every customer tenant. The known information I have is the applicationId for the Microsoft Azure App Service resource provider abfa0a7c-a6b6-4736-8310-5855508787cd which is consistent accross azure. I'm stumped as to how to proceed here. Does anyone have any inspiration?
resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: keyVaultName
location: location
properties: {
enabledForDeployment: false
enabledForDiskEncryption: false
enabledForTemplateDeployment: true
enableRbacAuthorization: false
tenantId: tenantId
enableSoftDelete: true
softDeleteRetentionInDays: 90
sku: keyVaultSku
networkAcls: {
defaultAction: 'Allow'
bypass: 'AzureServices'
}
accessPolicies:[
{
objectId: keyVaultReferenceIdentity.properties.principalId
permissions: {
certificates: [
'get', 'list', 'getissuers', 'listissuers', 'update', 'create', 'import'
]
keys: [
'get', 'list', 'decrypt', 'unwrapKey', 'verify', 'getrotationpolicy', 'update', 'create', 'import'
]
secrets: [
'get', 'list', 'set'
]
}
tenantId: tenantId
}
{
objectId: //what can I put here for the Microsoft Azure App Service resource provider?
permissions:{
certificates: ['get']
secrets:['get']
}
tenantId: tenantId
}
]
}
}
resource keyVaultReferenceIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: keyVaultReferenceIdentityName
location: location
}
I am creating an Azure Managed Application that will be made available in the azure marketplace for deployment into customer's tenants. Among other things, the managed resource group includes a keyvault and an app service. In the keyvault, there is an ssl certificate that I want to use for Azure AppService.
I have created a user assigned managed identity for the appservice and granted it access in the keyvault's access policy. The bit that I am stuck with is that I also need to grant 'get' permissions for certificates and secrets to the service principal for the Microsoft Azure App Service resource provider. (docs here: https://learn.microsoft/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Caccesspolicy#import-a-certificate-from-key-vault) In order to do this, I need the objectid (required property for the access policy) of the service principal which is different in every customer tenant. The known information I have is the applicationId for the Microsoft Azure App Service resource provider abfa0a7c-a6b6-4736-8310-5855508787cd which is consistent accross azure. I'm stumped as to how to proceed here. Does anyone have any inspiration?
resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: keyVaultName
location: location
properties: {
enabledForDeployment: false
enabledForDiskEncryption: false
enabledForTemplateDeployment: true
enableRbacAuthorization: false
tenantId: tenantId
enableSoftDelete: true
softDeleteRetentionInDays: 90
sku: keyVaultSku
networkAcls: {
defaultAction: 'Allow'
bypass: 'AzureServices'
}
accessPolicies:[
{
objectId: keyVaultReferenceIdentity.properties.principalId
permissions: {
certificates: [
'get', 'list', 'getissuers', 'listissuers', 'update', 'create', 'import'
]
keys: [
'get', 'list', 'decrypt', 'unwrapKey', 'verify', 'getrotationpolicy', 'update', 'create', 'import'
]
secrets: [
'get', 'list', 'set'
]
}
tenantId: tenantId
}
{
objectId: //what can I put here for the Microsoft Azure App Service resource provider?
permissions:{
certificates: ['get']
secrets:['get']
}
tenantId: tenantId
}
]
}
}
resource keyVaultReferenceIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: keyVaultReferenceIdentityName
location: location
}
2 Answers
Reset to default 1I came to the conclusion that this is not a trivial problem to solve and that I could reach my desired end result much quicker and more easily by using an App Service Managed Certificate and thus eliminating the need for App Service to get certificates from the KV. This worked great. Not a terribly satisfying answer so if anyone comes up with something better, I'd love to hear it.
Bicep now supports Microsoft Graph (see documentation) so you could get a reference to the app service resource provider and grab the object id like that:
extension microsoftGraphV1
...
// Get a reference to app service resource provider
resource appServiceResourceProvider 'Microsoft.Graph/[email protected]' existing = {
appId: 'abfa0a7c-a6b6-4736-8310-5855508787cd'
}
resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: keyVaultName
location: location
properties: {
...
accessPolicies:[
...
{
objectId: appServiceResourceProvider.id
permissions:{
certificates: ['get']
secrets:['get']
}
tenantId: tenantId
}
]
}
}
本文标签:
版权声明:本文标题:Using a certificate from a keyvault in azure app service in an azure managed application deployment - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741978898a2408281.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论