1. Granting a User-Assigned Identity access to Azure Key Vault

    TypeScript

    To grant a User-Assigned Managed Identity access to an Azure Key Vault, you need to perform a few steps. First, you'll create the User-Assigned Managed Identity. Then, you'll create the Key Vault. Finally, you'll set an access policy on the Key Vault to give the User-Assigned Managed Identity the necessary permissions.

    Below is a Pulumi program in TypeScript that demonstrates how to:

    1. Create a User-Assigned Managed Identity using the azure-native.managedidentity.UserAssignedIdentity class.
    2. Create an Azure Key Vault instance using the azure-native.keyvault.Vault class.
    3. Set the access policy on the Key Vault to allow the User-Assigned Managed Identity to access it, specifying the permissions you want to grant.

    Let's look at the code:

    import * as pulumi from "@pulumi/pulumi"; import * as azureNative from "@pulumi/azure-native"; // Create a new User-Assigned Managed Identity const userAssignedIdentity = new azureNative.managedidentity.UserAssignedIdentity("myUserAssignedId", { // Replace with desired resource group and location resourceGroupName: "myResourceGroup", location: "westus", }); // Create a new Key Vault const keyVault = new azureNative.keyvault.Vault("myKeyVault", { resourceGroupName: "myResourceGroup", location: "westus", properties: { sku: { family: "A", name: azureNative.keyvault.SkuName.Standard, }, tenantId: "<your-tenant-id>", // Specify your Azure tenant ID here accessPolicies: [], }, }); // Set an access policy giving the User-Assigned Managed Identity permissions to the Key Vault const accessPolicy = new azureNative.keyvault.VaultAccessPolicy("myVaultAccessPolicy", { resourceGroupName: "myResourceGroup", vaultName: keyVault.name, properties: { accessPolicies: [{ tenantId: "<your-tenant-id>", // Same tenant ID as the Key Vault objectId: userAssignedIdentity.principalId, // The principal ID of the User-Assigned Managed Identity permissions: { keys: ["get"], secrets: ["get"], certificates: ["get"], }, }], }, }); // Export the Key Vault URI and the User-Assigned Managed Identity ID export const keyVaultUri = keyVault.properties.vaultUri; export const userAssignedIdentityId = userAssignedIdentity.id;

    Here's what each part of the code is doing:

    • The azureNative.managedidentity.UserAssignedIdentity resource is defining a new User-Assigned Managed Identity that can be used by cloud resources to interact with Azure services that support Azure Active Directory authentication.

    • The azureNative.keyvault.Vault resource is defining a new Azure Key Vault where you can store keys, secrets, and certificates securely.

    • The azureNative.keyvault.VaultAccessPolicy resource is linking the new User-Assigned Managed Identity to the Key Vault by adding an access policy that grants it specific permissions, in this case, 'get' permissions for keys, secrets, and certificates.

    Be sure to replace <your-tenant-id> with your actual Azure tenant ID in both the Key Vault properties and access policy.

    To apply this Pulumi program, save the code to a index.ts file, then run the following commands:

    pulumi up # To preview and deploy the changes pulumi stack output # To view the output after deployment

    After deploying, you should see the Vault URI and the Managed Identity ID in the outputs. The Managed Identity now has access to the Key Vault according to the specified permissions.