Enable DTL service principal as defined role that can be added to KeyVault for ARM deployments
My labs users requested that they have a DTL template that installs a set of certificates to the "My" store and enables them to leverage them when the virtual machine is created. When I trigger the "base" creation using my custom ARM template via VSTS git, I encounter an error with the 'Microsoft.KeyVault/vaults/deploy/action' permission. It appears that DTL uses a deployment role that does not inherit my permissions to the KeyVault and therefore fails. Is it possible to create an AAD role/service principal for DTL activities so I can whitelist in KeyVault?
Thanks for submitting the idea! The feature that supports this scenario has been in our backlog without an ETA yet. For people who want to see the support sooner, please don’t hesitate to vote for it!
It would be great if we could get this at some point. There are a number of scenarios where a DTL Service Principal would make deployments a lot easier. I've ran into 2 different ones already today (on top of Key Vault access), one was trying to use cross resource group deployment (which did work for a while and then broke last year) and the other was trying to add the NIC in a VM to a VNet in a different RG.
Being able to grant the DTL Service Principal access to those RGs with the right permissions would make things a lot easier, as it is I'm having to rework parts of my deployment to suit this model.
This would be a good use case for managed service identities when they are GA
Did more research on this today - for each DTL deployment an application is created with naming convention "RN_<dtlabname>/servicerunners/<environmentname> and the application is granted 'owner' of the environment resourcegroup and 'virtual machine contributor' on the DTL vNet scope. What is needed is for the same application to be added to a role that includes action "Microsoft.KeyVault/vaults/deploy/action" so that the application can deploy a certificate from KeyVault to the virtual machine.