How to create Api connection to Azure KeyVault for Logic App with Managed Identity

Asked 21/2, 2021 at 21:23 Answered 22/2, 2023 at 14:31

Solved azure-logic-apps azure-resource-manager azure-keyvault azure-managed-identity

Scenario

Hi, I would like to create Logic App that gets secret from Azure KeyVault and sends authenticated request to the API with secret from vault.

Problem

I receive: The workflow connection parameter 'keyvault' is not valid. The API connection 'keyvault' is not configured to support managed identity. during my ARM deploy. How to create Microsoft.Web/Connections with Managed identity from ARM template. There is no information about it in docs: apiConnection logicapp-MSI

repro

{
  "type": "Microsoft.Web/connections",
  "apiVersion": "2016-06-01",
  "name": "[variables('KeyVault_Connection_Name')]",
  "location": "[variables('location')]",
  "kind": "V1",
  "properties": {
    "api": {
      "id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
    },
    "parameterValues": {
      "vaultName": "[variables('keyVaultName')]"
    },
    "displayName": "[variables('KeyVault_Display_Connection_Name')]"
  }
},
{
  "type": "Microsoft.Logic/workflows",
  "apiVersion": "2017-07-01",
  "name": "[variables('logicAppName')]",
  "location": "[variables('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "dependsOn": [
    "[resourceId('Microsoft.Web/Connections', variables('KeyVault_Connection_Name'))]"
  ],
  "properties": {
    "state": "Enabled",
    "definition": {
      "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "$connections": {
          "defaultValue": {},
          "type": "Object"
        }
      },
      "triggers": {schedule trigger},
      "actions": {get secret, send HTTP},
      "outputs": {}
    },
    "parameters": {
      "$connections": {
        "value": {
          "keyvault": {
            "connectionId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Web/connections/', variables('KeyVault_Connection_Name'))]",
            "connectionName": "[variables('KeyVault_Display_Connection_Name')]",
            "connectionProperties": {
              "authentication": {
                "type": "ManagedServiceIdentity"
              }
            },
            "id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'),'/managedApis/keyvault')]"
          }
        }
      }
    }
  }
}

Tried

I added parameterValueType with value Alternative to Microsoft.Web/connections. It was also necessary to remove parameterValue, because it cause an error.

{
    "type": "Microsoft.Web/connections",
    "apiVersion": "2016-06-01",
    "name": "[variables('KeyVault_Connection_Name')]",
    "location": "[variables('location')]",
    "kind": "V1",
    "properties": {
        "api": {
            "id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
        },
        "parameterValueType": "Alternative",
        "displayName": "[variables('KeyVault_Display_Connection_Name')]"
    }
},

now I receive error during runtime when GET secret:

{
  "status": 400,
  "message": "The connection does not contain a vault name. Please edit the connection and enter a valid key vault name.",
  "error": {
    "message": "The connection does not contain a vault name. Please edit the connection and enter a valid key vault name."
  },
  "source": "keyvault-we.azconn-we.p.azurewebsites.net"
}

I have also tried to add vaultName to customParameterValues but it did not help.

Chaliapin answered 21/2, 2021 at 21:23 Comment(0)

Along with "parameterValueType": "Alternative", you also need to specify your keyvault name you want to access in alternativeParameterValues like below.

The sample works for me, joykeyvault123 is my keyvualt name.

{
    "type": "Microsoft.Web/connections",
    "apiVersion": "2016-06-01",
    "name": "[variables('KeyVault_Connection_Name')]",
    "location": "[variables('location')]",
    "kind": "V1",
    "properties": {
        "api": {
            "id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
        },
        "parameterValueType": "Alternative",
        "alternativeParameterValues": {
                    "vaultName": "joykeyvault123"
                },
        "displayName": "[variables('KeyVault_Display_Connection_Name')]"
    }
},

Baccarat answered 22/2, 2021 at 4:16 Comment(6)

How do you know it? When I export my connecion or logic app to ARM there is no such a property. – Chaliapin 22/2, 2021 at 6:23

@Chaliapin So does it work for you? If not, it's no meaning to tell that.;-) – Baccarat 22/2, 2021 at 6:27

@Chaliapin You could find it in the connection in the portal -> JSON View, i.sstatic.net/bMuu4.png – Baccarat 22/2, 2021 at 6:53

If you mean Api connection->Export template. No, there is no such a field id json template. This feature (MSI for logic app actions) is in preview so mayby it is the key – Chaliapin 22/2, 2021 at 7:4

@Chaliapin No, I don't mean that, please check the image in the comment above. – Baccarat 22/2, 2021 at 7:5

Worked out perfectly. This ARM change auto-enabled the MI (system assigned) for my Logic app when it was created using pipelines. All I had to do was to add this MI under Access Policies of my Kay vault – Flyer 30/9, 2021 at 16:31

Not exactly an answer to the question, but I ended up here while searching for a similar issue.

For user assigned managed identity, the property to use is different.

You need to set parameterValueSet as below:

{
  "type": "Microsoft.Web/connections",
  "apiVersion": "2016-06-01",
  "name": "[variables('connection-keyvault-name')]",
  "location": "[variables('location')]",
  "kind": "V1",
  "properties": {
    "displayName": "[concat(variables('logic-app-get-token-name'), '-to-keyvault')]",
    "api": {
      "name": "keyvault",
      "id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/keyvault')]",
      "type": "Microsoft.Web/locations/managedApis"
    },
    "parameterValueSet": {
        "name": "oauthMI",
        "values": {
            "vaultName": {
                "value": "[parameters('keyvault_configuration_name')]"
            }
        }
      }
    }
}

Doom answered 22/2, 2023 at 14:31 Comment(3)

This is the right answer; the other answers didn't work for me - trying with the alternative parameter values and selecting it in a logic app, the logic app would refuse to save, and the Edit UI in the connection itself looks different. And this is using System-assigned managed identity. – Photoconduction 3/3, 2023 at 15:3

I wonder why parameterValueType or parameterValueSet do not appear in the ARM termplate description: learn.microsoft.com/en-us/azure/templates/microsoft.web/…. I am using Pulumi, and these properties are not available there. – Ghirlandaio 27/6, 2023 at 8:30

I agree, the most reliable source I have found is the JSON view in the connection overview detail, on the Azure portal (as commented on the accepted answer). It also works for other resources types. – Doom 27/6, 2023 at 8:43