Granting a User-Assigned Identity access to Azure Key Vault
TypeScriptTo grant a User-Assigned Managed Identity access to an Azure Key Vault, you need to perform a few steps. First, you'll create the User-Assigned Managed Identity. Then, you'll create the Key Vault. Finally, you'll set an access policy on the Key Vault to give the User-Assigned Managed Identity the necessary permissions.
Below is a Pulumi program in TypeScript that demonstrates how to:
- Create a User-Assigned Managed Identity using the
azure-native.managedidentity.UserAssignedIdentity
class. - Create an Azure Key Vault instance using the
azure-native.keyvault.Vault
class. - Set the access policy on the Key Vault to allow the User-Assigned Managed Identity to access it, specifying the permissions you want to grant.
Let's look at the code:
import * as pulumi from "@pulumi/pulumi"; import * as azureNative from "@pulumi/azure-native"; // Create a new User-Assigned Managed Identity const userAssignedIdentity = new azureNative.managedidentity.UserAssignedIdentity("myUserAssignedId", { // Replace with desired resource group and location resourceGroupName: "myResourceGroup", location: "westus", }); // Create a new Key Vault const keyVault = new azureNative.keyvault.Vault("myKeyVault", { resourceGroupName: "myResourceGroup", location: "westus", properties: { sku: { family: "A", name: azureNative.keyvault.SkuName.Standard, }, tenantId: "<your-tenant-id>", // Specify your Azure tenant ID here accessPolicies: [], }, }); // Set an access policy giving the User-Assigned Managed Identity permissions to the Key Vault const accessPolicy = new azureNative.keyvault.VaultAccessPolicy("myVaultAccessPolicy", { resourceGroupName: "myResourceGroup", vaultName: keyVault.name, properties: { accessPolicies: [{ tenantId: "<your-tenant-id>", // Same tenant ID as the Key Vault objectId: userAssignedIdentity.principalId, // The principal ID of the User-Assigned Managed Identity permissions: { keys: ["get"], secrets: ["get"], certificates: ["get"], }, }], }, }); // Export the Key Vault URI and the User-Assigned Managed Identity ID export const keyVaultUri = keyVault.properties.vaultUri; export const userAssignedIdentityId = userAssignedIdentity.id;
Here's what each part of the code is doing:
-
The
azureNative.managedidentity.UserAssignedIdentity
resource is defining a new User-Assigned Managed Identity that can be used by cloud resources to interact with Azure services that support Azure Active Directory authentication. -
The
azureNative.keyvault.Vault
resource is defining a new Azure Key Vault where you can store keys, secrets, and certificates securely. -
The
azureNative.keyvault.VaultAccessPolicy
resource is linking the new User-Assigned Managed Identity to the Key Vault by adding an access policy that grants it specific permissions, in this case, 'get' permissions for keys, secrets, and certificates.
Be sure to replace
<your-tenant-id>
with your actual Azure tenant ID in both the Key Vault properties and access policy.To apply this Pulumi program, save the code to a
index.ts
file, then run the following commands:pulumi up # To preview and deploy the changes pulumi stack output # To view the output after deployment
After deploying, you should see the Vault URI and the Managed Identity ID in the outputs. The Managed Identity now has access to the Key Vault according to the specified permissions.
- Create a User-Assigned Managed Identity using the