I have managed to create a Logic App that can send an email once an Azure KeyVault secret is about to expire. This works with my own credentials, but I cannot make it work with Managed Identity api connection.
For my Logic App I have enabled System Identity. Chosen "When an Event Grid resource event occurs" as the trigger and added RBAC role "Key Vault Administrator" to my Azure KeyVault
This now allows me to choose my KeyVault in the drop down menus on the trigger, which means my Managed Identity does have a connection to the KeyVault and I can pick up values in the drop down lists:
When I try to save this I get the following error:
Failed to save logic app logic-secrets-expiry-poc-mi. The workflow connection parameter ‘azureeventgrid’ is not valid. The API connection ‘azureeventgrid’ is configured to support managed identity but the connection parameter is either missing ‘authentication’ property in connection properties or authentication type is not ‘ManagedServiceIdentity’.
What am I missing here?
Update: I found a workaround. I the Code view in the UI, I added this to the connection part:
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
so that it looks now like this:
This allows me to Save the Logic App in the Portal without getting the error.
Update: However I cannot get it to trigger even when I add another Event to listen to like "Microsoft.KeyVault.SecretNewVersionCreated" and try to create new Secrets in KeyVault. It is not being triggered.
2
Answers
Here is how to use Managed Identity from A-Z:
Start by creating a Key Vault and a Logic App (Consumption type used in this demo)
Enable Managed Identity on your Logic App:
Use RBAC permission model:
Add 2 RBAC roles to your KeyVault:
Verify that the RBAC roles have been added:
Add a trigger for your Logic App using Managed Identity:
and choose these events:
Verify that the Trigger History has no errors:
Check that that the Event Grid Subscription has been created:
Create a new Secret:
Check that your Logic App has been triggered now:
And in the final step you can see details in the run:
Done
I have got triggered and below is my approach:
Firstly gave this role to managed identity of my logic app:
Then gave Key Vault Secrets Officer :
Need to have RBAC for Key Vault:
Then have used below
design
:Output:
When version changed it got triggered.