Key Vault Access Policy

Getting Started

Pulumi does not support updating Azure Key Vault Access policies, thus requiring the implementation of a Pulumi Dynamic Resource Provider. This resource provider will take care of managing the access policies, which is manipulating Key Vault Access Policy via Azure CLI commands.

AZ Reference

Method	Link
Read	https://learn.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest#az-keyvault-list
Update, Create	https://learn.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest#az-keyvault-set-policy
Delete	https://learn.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest#az-keyvault-delete-policy

Usage

return new KeyVaultAccessPolicy(`kv-ap-cumulio-plugin-adx`, {
  resourceGroupName: rgName,
  keyVaultName: keyVaultCoreName,
  objectId: appCumulIOPluginADX.identity.apply(
    (identity) =>
      identity?.principalId ?? "11111111-1111-1111-1111-111111111111"),
  secretPermissions: [PermissionSecret.get, PermissionSecret.list]
}, { 
  /**
   * we need to use an alias, because otherwise Pulumi will favour a create before delete
   * this will then cause the access policy to be deleted from Azure, 
   * but not in the Pulumi stack as a final result
   * https://github.com/pulumi/pulumi/issues/11259#issuecomment-1303995109
   */ 
  aliases: [{ name: `kv-ap-cumulio-plugin-adx` }]
});

Key Vault Access Policy Subscription

All the write operations in the Azure environment DEV and higher can be only done through Azure DevOps Pipelines. Pipelines during the execution are logging in to the Azure Subscription using a Service Principal, which has write access. Then they need to read secrets from the existing Key Vault, therefore is it necessary to give a Service Principal an access to the Key Vault during Pulumi infrastructure deployment. As the Service Principals are a different type of object than e.g. Web App, it's necessary to execute an additional Azure CLI command, to find its identifier. For details refer to the source code.