I've seen several support cases recently where someone wants to update a Key Vault via template but not disturb the existing access policies. The problem is that if you deploy a resource of type Microsoft.KeyVault/vaults, that will replace any existing access policy.
This is by-design of ARM Templates.
In speaking with the product team, I learned of a special child resource for ARM template which allows the addition of new access policies without affecting existing access policies.
When you deploy a resource of type Microsoft.KeyVault/vaults/accessPolicies with the name “add”, it will merge in your changes. This special child resource type was created to allow Managed Service Identity scenarios where you don’t know the identity of a VM until the VM is deployed and you want to give that identity access to the vault during deployment.
An incremental deployment can be used along with this json to achieve the objective:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('vaultName'), '/add')]",
"apiVersion": "2016-10-01",
"properties": {
"accessPolicies": [
{
"tenantId": "dfe47ca8-acfc-4539-9519-7d195a9e79e4",
"objectId": "5abe9358-10ae-4195-ba23-d34111430329",
"permissions": {
"keys": ["all"],
"secrets": ["all"],
"certificates": ["all"],
"storage": ["all"]
}
}
]
}
}
],
"outputs": {
}
}
I hope this helps you out when using the Azure Key Vault! Please follow us on Twitter and retweet!
@WinDevMatt @AzIdentity