Azure Key Vault - Access Policy Update via ARM Template

I've seen several support cases recently where someone wants to update a Key Vault via template but not disturb the existing access policies. The problem is that if you deploy a resource of type Microsoft.KeyVault/vaults, that will replace any existing access policy.

This is by-design of ARM Templates.  

In speaking with the product team, I learned of a special child resource for ARM template which allows the addition of new access policies without affecting existing access policies.

When you deploy a resource of type Microsoft.KeyVault/vaults/accessPolicies with the name “add”, it will merge in your changes. This special child resource type was created to allow Managed Service Identity scenarios where you don’t know the identity of a VM until the VM is deployed and you want to give that identity access to the vault during deployment. 

An incremental deployment can be used along with this json to achieve the objective:

    "$schema": "",
    "contentVersion": "",
    "parameters": {
        "vaultName": {
            "type": "string"
    "resources": [
            "type": "Microsoft.KeyVault/vaults/accessPolicies",
            "name": "[concat(parameters('vaultName'), '/add')]",
            "apiVersion": "2016-10-01",
            "properties": {
                "accessPolicies": [
                        "tenantId": "dfe47ca8-acfc-4539-9519-7d195a9e79e4",
                        "objectId": "5abe9358-10ae-4195-ba23-d34111430329",
                        "permissions": {
                            "keys": ["all"],
                            "secrets": ["all"],
                            "certificates": ["all"],
                            "storage": ["all"]
    "outputs": {

I hope this helps you out when using the Azure Key Vault!  Please follow us on Twitter and retweet!
@WinDevMatt @AzIdentity

Comments (7) -

Joey Chömpff 7/30/2018 11:32:29 AM

Is it possible to access a keyvault store which is located inside another resource group?

Yes, I believe this should be possible as it's not a cross-tenant action.

Derek Brown 9/25/2018 9:08:30 PM

How would I accomplish this? My keyvault is in a different subscription & resource group than the msi enabled app I'm trying to grant access.

I tried giving the fully qualified ID as the name of the resource (ex. "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<keyvault-name>/name") but received the following error: "The template resource '/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<keyvault-name>/add' for type 'Microsoft.KeyVault/vaults/accessPolicies' at line '111' and column '9' has incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name."

If I set the resource name as "<keyvault-name>/add", I get the following error: "Can not perform requested operation on nested resource. Parent resource '<keyvault-name>' not found."

I can probably get the job done using the powershell commands, but, I'd prefer to keep it in the arm template if possible.

Any update @Derek Brown? i am stuck in a similar situation?

Any solution for added accesspolicies to a keyvault instance that is location within an other resource group, via ARM?

Totally stuck on this too. Surely it must be possible to build an ARM template which creates a new web app and adds an access policy to a Keyvault instance that is located in another resource group. SURELY - everyone must want that? Too many brick walls with these darn templates... I may switch to AZ CLI scripts.

For me I can deploy this via arm template directly from visual studio or azure powershell however when its in a devops Azure resource group deployment task sequence it doesn't seem to like the /add. I get:

"error": {
    "code": "BadRequest",
    "message": "Bad JSON content found in the request."

Add comment