Azure Managed Application Publisher / ISV Access to Azure Key Vault in Managed Resource Group in Customer Subscription

Challenge

  • Customer cannot access the Key Vault in the Managed Resource Group (MRG) in their subscription because Azure Managed Application has a Deny assignment on the MRG (which is the correct default behavior)
  • Publisher cannot access the Key Vault in the Managed Resource Group because the Key Vault is tied to the customer’s Azure AAD tenant (this is the challenge)

Potential Approaches

Pseudocode for data-plane Managed Identity “proxy” approach

az rest --method GET --uri /subscriptions/{CUSTOMER_SUBSCRIPTION_ID}/resourceGroups/{MANAGED_APP_RG}/providers/Microsoft.Solutions/applications/{MANAGED_APP_NAME}?api-version=2019–07–01 --query identity.principalId -o tsv
az keyvault set-policy --secret-permissions list get set delete --object-id PRINCIPAL_ID_OF_THE_MANAGED_APP_SYSTEM_ASSIGNED_IDENTITY --name KEYVAULT_NAME
az rest --method POST --uri /subscriptions/{CUSTOMER_SUBSCRIPTION_ID}/resourceGroups/{MANAGED_APP_RG}/providers/Microsoft.Solutions/applications/{MANAGED_APP_NAME}/listTokens?api-version=2019–07–01 --headers Content-Type=application/json — body "{authorizationAudience: 'https://vault.azure.net'}" -o json
curl -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer {ACCESS_TOKEN}" https://KEYVAULT_NAME.vault.azure.net/secrets/secret1?api-version=7.1 -d "{\"value\": \"secret1_value\"}"

--

--

--

Principal Engineer / Architect, FastTrack for Azure at Microsoft

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why think beyond code?

The operation could not be completed

Red-black Tree, why you should be using it.

Increase the size of an ABS volume on Linux EC2 AWS

Lua Magic: Reload Dependencies

Building Python Barcode Extension with DBR 5.2 for Linux

How to fetch phone number in android studio

Coding Chronicles-3

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arsen Vladimirskiy

Arsen Vladimirskiy

Principal Engineer / Architect, FastTrack for Azure at Microsoft

More from Medium

Event-driven: Azure Functions and Logic Apps

Getting list of Azure subscriptions of customers who deployed your Azure Managed Application

Using SignalR with Azure Functions and Event Hubs

Azure Sphere