ARM Template for KeyVault to have AccessPolicies non-mandatory

Hi,
It would be better for idempotency and the ability to create Keyvault first, with additional incrementally run ARM templates to have AccessPolicies as non-mandatory.

It is already possible to incrementally add AccessPolicies once you have a KeyVault, but it is not possible to create or update a Keyvault via ARM without specifying the AccessPolicies... which is a problem for update - you need to know all the existing AccessPolicies before you do the update or it will get reverted to whatever you specify.

79 votes

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Dan Byrne shared this idea · May 31, 2018 · Flag idea as inappropriate… · Admin →

11 comments

Add a comment…

Attach a File

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

An error occurred while saving the comment

KjB commented · December 30, 2019 23:56 · Flag as inappropriate

ARM deployments is possible when using CreateMode (Recovery) and separate access policies.

CreateMode
https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2018-02-14/vaults

Access policy - Add , replace and move
https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2018-02-14/vaults/accesspolicies

Submitting...
Lyndon Rumpel commented · December 17, 2019 23:38 · Flag as inappropriate

I understand the motivation on wanting the requested ability. However, from a governance and security perspective, some kind of information security and/or auditor role will always have to receive some kind of minimal access. So just implement that purpose with the initial creation, which makes it compliant from the beginning.

Submitting...
McCraw, David commented · December 06, 2019 02:26 · Flag as inappropriate

+1

This makes it really hard to have zero-downtime deployments in any significant architecture where there are clients of a vault managed in separate repos/ARM templates. So far I have a fragile and elaborate powershell around this, but I really want the ARM deployment for vaults to respect 'incremental'.

Submitting...
Traber commented · December 04, 2019 21:09 · Flag as inappropriate

+1. I don't understand why it is a requirement to include access policies.

It certainly complicated ARM template deployments for existing Key Vaults, since providing an empty access policies list just wipes out everything that is there.

Submitting...
Anonymous commented · March 22, 2019 12:22 · Flag as inappropriate

Support

Submitting...
Chris Neale commented · March 22, 2019 12:19 · Flag as inappropriate

Support

Submitting...
Salford commented · March 06, 2019 20:37 · Flag as inappropriate

Support this suggestion vehemently!

Submitting...
Henry commented · January 29, 2019 05:02 · Flag as inappropriate

Totally agree

Submitting...
Filip Scherwin Lindboe commented · January 10, 2019 02:20 · Flag as inappropriate

I agree. I have a fully automated deployment using Azure DevOps. Here i have some access policies that needs to be assigned more dynamically according to context, so i am setting these through a script. Other access policies are static and is set using ARM template. But the fact that the access policies are being overwritten when deploying the ARM template has caused me some grief.

Submitting...
Toby Meyer commented · December 22, 2018 22:31 · Flag as inappropriate

This breaks incremental deployments in a fundamental way. I use other deployment actions to manipulate KV permissions programmatically & this makes it substantially more complex.

Submitting...
Anonymous commented · November 11, 2018 07:49 · Flag as inappropriate

Agreed.

Submitting...