0
votes

The Key Vault i have created is in another resource group and i am deploying the Logic app to other resource group in which i have referenced the key valut secrets as :

>    "azureblob_1_accessKey": {
>       "reference": {
>         "keyVault": {
>           "id": "/subscriptions/5a7084cb-3357-4ee0-b28f-a3230de8b337/resourceGroups/test/providers/Microsoft.KeyVault/vaults/KeyVault"
>         },
>         "secretName": "AppSettings--StorageAccessValue--DEV"
>       }
>     },

I am deploying the logic apps using CICD but in release definition i am getting following error :

KeyVaultParameterReferenceAuthorizationFailed: The client '648fa2cc-6cd1-49fa-a11a-ad6a276916cc' with object id '648fa2cc-6cd1-49fa-a11a-ad6a276916cc' does not have permission to perform action 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION' on the specified KeyVault resource '/subscriptions/5a7084cb-3357-4ee0-b28f-a3230de8b337/resourceGroups/test/providers/Microsoft.KeyVault/vaults/KeyVault'. Please see https://aka.ms/arm-keyvault for usage details. undefined

**

How to find resource related to ID given in error?

**

1
I think you need to add this client id 648fa2cc-6cd1-49fa-a11a-ad6a276916cc in your KeyVault Access policies - Jayendran
@Jayendran How to add client id ? - Sagar K
@JoyWang I am deploying using Release Definition - Sagar K

1 Answers

1
votes

According to the error , the user does not have the Microsoft.KeyVault/vaults/deploy/action permission.

If a key vault is referenced in a template deployment, you should note:

1.Make sure enabledForTemplateDeployment is true, you could check it in the portal, refer to the screenshot.

enter image description here

2.Make sure the user deploying the template must have the Microsoft.KeyVault/vaults/deploy/action permission for scope that contains the Key Vault including resource group and Key Vault. The Owner and Contributor roles both grant this access.

To add permission, you could use role-based access control (RBAC) to do it, navigate to the Access control (IAM) in the portal -> Add , select a role of Owner or Contributor. Besides, you can also create a role with the minimum permssion, and assign the user, refer to this link.

For more details, refer to : Use Azure Key Vault to pass secure parameter value during deployment.