Keyvault RBAC model ARM role assignment

Yes, using ARM, not Bicep, I know, it’s bad!

Ran into a whole bunch of constrains and issue trying to assign an array of principals vs roles on keyvault using the RBAC access method, so sharing my working solution here as I couldn’t find a single good example on google:

            "type": "Microsoft.KeyVault/vaults/providers/roleAssignments",
            "apiVersion": "2018-09-01-preview",
            "copy": {
                "name": "rbac-access-policy-loop",
                "count": "[length(parameters('accessPolicies'))]"
            "name": "[concat(variables('vaultName'),'/Microsoft.Authorization/',guid(concat(variables('vaultName'), parameters('accessPolicies')[copyIndex('rbac-access-policy-loop')].objectId, parameters('accessPolicies')[copyIndex('rbac-access-policy-loop')].roleId)))]",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', variables('vaultName'))]"
            "properties": {
                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roledefinitions/',parameters('accessPolicies')[copyIndex('rbac-access-policy-loop')].roleId)]",
                "principalId": "[parameters('accessPolicies')[copyIndex('rbac-access-policy-loop')].objectId]",
                "scope": "[resourceId('Microsoft.KeyVault/vaults', variables('vaultName'))]",
                "principalType": "Group"

An example param would then look like this:

        "accessPolicies": {
            "value": [
                    "roleId": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
                    "objectId": "2d9cbd23-20b1-4921-a8e4-54b55161ad04"

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Walter M
Walter M
11 months ago

Thanks man. This really helped me out. Nice pic.