I am trying to deploy a Microsoft.Web/connections resource using an ARM template. The API Connection connects to a Key Vault in a different tenant, so I need to use a service principal for authentication.
I have managed to get the resource to deploy but the connection fails with error: Unauthorized when trying to access the Key Vault in my logic app action. I have set up the connection manually to ensure the service principal’s set up correctly so I know it must be an error with my parameterValues section in my ARM template.
I have used this tool to try and work out what’s needed in the parameterValues section, but I am not convinced I have it correct.
Here is my redacted ARM template for the connection:
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "NAME_OF_CONNECTION,
"location": "[resourceGroup().location]",
"properties": {
"displayName": "NAME_OF_CONNECTION",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]"
},
"parameterValues": {
"vaultName":"NAME_OF_VAULT",
"token:clientId" : "GUID_HERE",
"token:clientSecret" : "SECRET_HERE",
"token:TenantId" : "GUID_HERE",
"token:resourceUri": "https://NAME_OF_VAULT.vault.azure.net/",
"token:grantType": "client_credentials"
}
}
}
Is it possible to do this? I can’t see why it wouldn’t be. If it is, why is this not documented anywhere?
2
Answers
I can test it only on Monday, but try using
"token:resourceUri": "https://vault.azure.net"(without the NAME_OF_VAULT and without a slash at the end).try
"token:resourceUri": "https://vault.azure.net"