How can I create API connection to Azure KeyVault when deploying Logic App from ARM template in DevOps

0
votes

I am deploying Logic App workflow through ARM template in DevOps, which works great. When I need to connect to Blob storage or Storage Queue in the workflow, I am able to create these two API connections in ARM beforehand and then use them, but how can I create connection to KeyVault? The (I believe only required) connection parameters for the connection Template are vaultName and token as shown below. The whole template is in this gist.

"connectionParameters": {
    "vaultName": {
        "type": "string",
        "uiDefinition": {
            "displayName": "Vault name",
            "description": "Name of the vault",
            "tooltip": "Provide name of the vault",
            "constraints": {
                "required": "true"
            }
        }
    },
    "token": {
        "type": "oauthSetting",
        "oAuthSettings": {
            "identityProvider": "aadcertificate",
            "clientId": "7ab7862c-4c57-491e-8a45-d52a7e023983",
            "scopes": [],
            "redirectMode": "Direct",
            "redirectUrl": "https://logic-apis-westeurope.consent.azure-apim.net/redirect",
            "properties": {
                "IsFirstParty": "True"
            },
            "customParameters": {
                "tenantId": {},
                "resourceUri": {
                    "value": "https://vault.azure.net"
                },
                "loginUriAAD": {
                    "value": "https://login.windows.net"
                }
            }
        }
    },
    // <other input parameters>
}

But where can I get/find the token? Is it possible to somehow use the token that DevOps is using to deploy the infrastructure? Or get the token any other non-interactive way e.g. from powershell script? Any pointeres will be appreciated.

3
azureazure-logic-appsazure-keyvault

3 Answers

1
votes

If the managed identity support has not yet been added to the Key Vault connector, there is a workaround. You can use HTTP connector with managed identity and use Key Vault REST API to get the secrets.

This is explained for example in this blog post: https://blog.eldert.net/retrieve-azure-key-vault-secrets-from-logic-apps-using-managed-identity/

0
votes

I would suggest using a Managed Identity (MSI) for Logic App

Essentially this will create an identity in your Azure Active Directory for the application thus eliminating the token process. This identity is assigned a thumbprint in azure so if it is destroyed and recreated the identity's thumbprint will be recreated. If deploying via ARM just add the identity section to your Logic App:

{
   "apiVersion": "2016-06-01",
   "type": "Microsoft.logic/workflows",
   "name": "[variables('logicappName')]",
   "location": "[resourceGroup().location]",
   "identity": {
      "type": "SystemAssigned"
   }

For the Key Vault if deploying via the same ARM template you can add an access policy for the Resource ID like below (specifically the objectID section). I would advise a depends on statement as outlined so the Access Policy isn't assigned until after the MSI is created.

 "accessPolicies": [
          {
            "tenantID": "[subscription().tenantId]",
            "objectId": "[reference(resourceId('Microsoft.Web/sites', variables('webSiteName')), '2018-02-01', 'Full').identity.principalId]",
            "permissions": {
              "secrets": [
                "get"
              ],
              "keys": [
                "get"
              ],
              "certificates": [
                "import"
              ]
            },
            "dependsOn": [
              "[resourceId('Microsoft.Web/Sites', variables('WebsiteName'))]"
            ]
          }
        ]

After completing this your Logic App should have access to the secrets in the Key Vault w/o any additional configuration.

0
votes

Managed Identity support has been added to the Key Vault connector. More details can be found in the following blog post - https://aztoso.com/logic-app/keyvault-connector-with-managed-identity/