deployIfNotExists policy - add user assigned managed identity
As of now, deployIfNotExists policy assignments are given a system assigned identity. This is insufficient when using a parameter reference to a keyvault secret. There is no keyvault policy in place to allow read access for the system assigned identity.
If a user assigned identity were supported, then earlier provisioning could have already granted that identity access to the keyvault.
It is not an acceptable solution to do manual creation of the keyvault access policy after the policy assignment is created when the deployment of the entire environment is being automated through Azure Blueprints.
Hi I also faced the same issue .. So i went through the ms docs and found there is no support for user managed identity as of now .. Can we do some work around?
Christopher Cooper commented
I agree this is a huge management nightmare when you delete assignments, and scope becomes a problem when you want to assign a Policy to a RG but access or change resources in another RG. For example I want to enable SQL Audit to an Log Analytics in another RG. We have an audit requirement to keep the audit logs, but we build and destroy the resource group. It's a pain **********.