Azure Key Vault access policy to allow Logic App (standard): 'resource not found'

thmswlkr
April 13, 2024
207 views
0 votes
2 Answers

I’m trying to setup an access policy in my ARM template to allow my logic app to access Key Vault. Both resources are already created but when I’m running my pipeline it is coming up that the logic app resource is not found (it already exists).

Error: The Resource ‘Microsoft.Logic/workflows/logicappName’ under resource group ‘resourceGroupName’ was not found.

Policy:

{
                "tenantId": "[parameters('tenantId')]",
                "objectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', variables('logicAppName'))), '2021-01-15').principalId]",
                "permissions": {
                    "keys": [],
                    "secrets": ["get", "list"],
                    "certificates": []
                }
            }

I’ve tried API’s: 2019-05-01 and 2018-11-30 too. They’re both in the same network

EDIT: If I use logic app’s objectId without trying to referencing it, it works.

I’m expecting for the Logic app to be able to read secrets from Key Vault, I’ve already set this up with App Service in the exact same policy (for app service)

Answers

The issue is with the logic app object id syntax under access policy block of key vault access policies resource.

Refer logic app object id as

"logicAppObjectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))), '2019-05-01').identity.principalId]"

or you can also refer the resource directly as below:

"logicAppObjectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))), '2019-05-01')]"

Use below modified code to achieve the expected requirement.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "logicAppName": {
      "type": "string",
      "metadata": {
        "description": "The name of the logic app to create."
      }
    },
    "tenantId": {
      "type": "string",
      "defaultValue": "xxx",
      "metadata": {
        "description": "xxx"
      }
    },
    "objectId": {
      "type": "string",
      "defaultValue": "xxxx"
    },
    "testUri": {
      "type": "string",
      "defaultValue": "https://azure.status.microsoft/status/",
      "metadata": {
        "description": ""
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
     "skuName": {
      "type": "string",
      "defaultValue": "standard",
      "allowedValues": [
        "standard",
        "premium"
      ],
      "metadata": {
        "description": "The SKU of the vault to be created."
      }
    }
  },
  "variables": {
    "frequency": "Hour",
    "keyVaultName": "myvaultjahkurk",
    "interval": "1",
    "type": "recurrence",
    "actionType": "http",
    "method": "GET",
    "workflowSchema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#"
  },
  "resources": [
    {
      "type": "Microsoft.Logic/workflows",
      "apiVersion": "2019-05-01",
      "name": "[parameters('logicAppName')]",
      "location": "[parameters('location')]",
      "tags": {
        "displayName": "[parameters('logicAppName')]"
      },
      "identity": {
        "type": "SystemAssigned"
      },
      "properties": {
        "definition": {
          "$schema": "[variables('workflowSchema')]",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "testUri": {
              "type": "string",
              "defaultValue": "[parameters('testUri')]"
            }
          },
          "triggers": {
            "recurrence": {
              "type": "[variables('type')]",
              "recurrence": {
                "frequency": "[variables('frequency')]",
                "interval": "[variables('interval')]"
              }
            }
          },
          "actions": {
            "actionType": {
              "type": "[variables('actionType')]",
              "inputs": {
                "method": "[variables('method')]",
                "uri": "[parameters('testUri')]"
              }
            }
          }
        }
      }
    },
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2019-09-01",
      "name": "[variables('keyVaultName')]",
      "location": "[parameters('location')]",
      "properties": {
        "accessPolicies": [],
        "enableRbacAuthorization": true,
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": "90",
        "enabledForDeployment": false,
        "enabledForDiskEncryption": false,
        "enabledForTemplateDeployment": false,
        "tenantId": "[subscription().tenantId]",
        "sku": {
          "name": "[parameters('skuName')]",
          "family": "A"
        },
        "networkAcls": {
          "defaultAction": "Allow",
          "bypass": "AzureServices"
        }
      }
    },
     {
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "apiVersion": "2019-09-01",
      "name": "[concat(variables('keyVaultName'), '/add')]",
      "properties": {
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "logicAppObjectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))), '2019-05-01').identity.principalId]",
            "objectId": "[parameters('objectId')]",
            "permissions": {
              "secrets": [
                "get",
                "list"
              ]
            }
          }
        ]
      }
    }
  ]
}

Output:

References: MSDoc 1, 2

- 10p
- April 13, 2024 at 7:02 pm
- 0 votes
0
If you are indeed using a Standard Logic App and not a Consumption Logic App then you are dealing not with Microsoft.Logic/workflows but with Microsoft.Web/sites – in essence, Standard Logic Apps are Function Apps.

Try replacing your
```
"objectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', variables('logicAppName'))), '2021-01-15').principalId]",
```
with
```
"objectId": "[reference(resourceId('Microsoft.Web/sites', variables('logicAppName')), '2021-03-01', 'full').identity.principalId]",
```
and see if it helps.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.