Bicep Access policies and Managed Identity
In this post I cover off access policies in KeyVault and also User Assigned Managed Identity using Bicep.
If you are doing anything with Bicep then this is still the best resource I have found – https://github.com/Azure/ResourceModules/ – it shows you how to do it, but you need to figure it out from there but its still got a LOT of how to go about stuff in Bicep.
Access Policies in Bicep
When you create a KeyVault you have to give people / accounts access to be able to use KeyValut in Azure.
Within the portal you need to go to the following areas:-
So in order to give applications and users access we add access policies. Now if you look up the Microsoft docs page for this, you’ll more than likely end up here:-
This kind of page isn’t going to help you very much, infact its not going to help you. These types of pages in Microsoft docs are, I would say close to pointless to be honest.
I found a page that you can compare it to that covers what I think we need to see more of in the way of docs when it comes to Microsoft docs.
Compare the docs page to this wonderful blog post:-
Its covering everything your ever going to need to know in a simple blog post which also has this layout:-
Why is this so good im my opinion?, its telling me all about what I need to know about access policies, its explaining it all and has really useful samples – the docs need explanations and real world examples, the examples they give are normally far too basic imo.
Managed Identity in Bicep
First thing to say is that Managed Identity in Azure has its own are in the Azure Portal, wut? yeah its been here a while now 🙂
Ok so you do you want to use a System assigned Managed Identity or a User Assigned Managed Identity? – Please, learn this by watching this video to learn about both – https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
I always opt for User Assigned Managed Identity and I want to use this to access my Azure resources and I use this so that my nice new docker container which is now in container instances can make use of the User Assigned Managed Identity to go to keyvault and get secrets (as an example).
So within my new User Assigned Managed Identity I can add Azure Role Assignments like so:-
Here I am giving Owner rights on the Resource Group and KeyVault Admin access to my Managed Identity as examples.
What does this look like in Bicep?
To create a User Assigned Managed Identity you can do it very easily :-
And then to add Role Assignments and use existing definitions you can do the following:-
Full code can be found here:- https://gist.github.com/gsuttie/3ab106252faf6ef7726441f70d611c7d
So there is an issue/bug with doing this, let me explain. In the example above I create a User Assigned Managed Identity and then add 2 Azure Role assignments to the managed identity. If i delete the managed Identity I end up with the following:-
The roel assignment remains – meaning if I run my Bicep code again it wont work and gives me an error – something like this:-
“RoleAssignmentUpdateNotPermitted”, “message”: “Tenant ID, application ID, principal ID, and scope are not allowed to be updated.”
I hope this blog post makese sense and is helpful to someone.
Don’t forget to subscribe to my YouTube Channel.
For a nice easy way to clean up the IAM after a managed identity has been removed check out https://jloudon.com/cloud/Removing-Unknown-Azure-RBAC-Role-Assignments-with-PowerShell/
[…] Bicep Access policies and Managed Identity (Gregor Suttie) […]