Set key vault access policies for multiple object ids using parameter (array type) via ARM Template

1
votes

Is it possible to set key vault access policies for multiple object ids using a parameter of array type via ARM Template?

    "policies": {
            "value": [
              {
                "objectId": "<object-id-1>",
                "permissions": ["get", "set", "list"]
              },
              {
                "objectId": "<object-id-2>",
                "permissions": ["get", "set", "list"]
              }
            ]
          }

I need to set key vault access policies to two object ids as shown above. This is what I have tried:

enter image description here

I see the following error:

[error]InvalidTemplate: Deployment template validation failed: 'The resource 'Microsoft.KeyVault/vaults/keyvaultname/accessPolicies/add' is defined multiple times in a template.

1
azureazure-resource-managerazure-keyvaultarm-template
So what's your question? Any error?Joy Wang-MSFT
Yes updated the question. Please check the description.user989988

1 Answers

5
votes

Looks like you are almost there. Here is a modification of what you posted that I have working.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVaultName": {
      "type": "string"
    },
    "policies": {
      "type": "array",
      "metadata": {
        "description": "Array of object ids and permissions."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "name": "[concat(parameters('keyVaultName'), '/add')]",
      "apiVersion": "2019-09-01",
      "properties": {
        "copy": [
          {
            "name": "accessPolicies",
            "count": "[length(parameters('policies'))]",
            "input": {
              "tenantId": "[parameters('policies')[copyIndex('accessPolicies')].tenantId]",
              "objectId": "[parameters('policies')[copyIndex('accessPolicies')].objectId]",
              "permissions": {
                "keys": "[parameters('policies')[copyIndex('accessPolicies')].keys]",
                "secrets": "[parameters('policies')[copyIndex('accessPolicies')].secrets]",
                "certificates": "[parameters('policies')[copyIndex('accessPolicies')].certificates]"
              }
            }
          }
        ]
      }
    }
  ]
}

Here is the PowerShell variable that I splatted on the deployment call.

$parameters = @{
  'keyVaultName' = 'kv62443460'
  'policies' = @(
    @{
        'tenantId' = '<GUID>'
        'objectId' = '<GUID>'
        'keys' = @()
        'secrets' = @('get')
        'certificates' = @()
    },
    @{
        'tenantId' = '<GUID>'
        'objectId' = '<GUID>'
        'keys' = @()
        'secrets' = @()
        'certificates' = @('list')
    }
  )
}