Yes, using ARM, not Bicep, I know, it’s bad!
Ran into a whole bunch of constrains and issue trying to assign an array of principals vs roles on keyvault using the RBAC access method, so sharing my working solution here as I couldn’t find a single good example on google:
{
"type": "Microsoft.KeyVault/vaults/providers/roleAssignments",
"apiVersion": "2018-09-01-preview",
"copy": {
"name": "rbac-access-policy-loop",
"count": "[length(parameters('accessPolicies'))]"
},
"name": "[concat(variables('vaultName'),'/Microsoft.Authorization/',guid(concat(variables('vaultName'), parameters('accessPolicies')[copyIndex('rbac-access-policy-loop')].objectId, parameters('accessPolicies')[copyIndex('rbac-access-policy-loop')].roleId)))]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('vaultName'))]"
],
"properties": {
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roledefinitions/',parameters('accessPolicies')[copyIndex('rbac-access-policy-loop')].roleId)]",
"principalId": "[parameters('accessPolicies')[copyIndex('rbac-access-policy-loop')].objectId]",
"scope": "[resourceId('Microsoft.KeyVault/vaults', variables('vaultName'))]",
"principalType": "Group"
}
}
An example param would then look like this:
"accessPolicies": {
"value": [
{
"roleId": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"objectId": "2d9cbd23-20b1-4921-a8e4-54b55161ad04"
}
]
}
Thanks man. This really helped me out. Nice pic.