Grant access to Azure Logic Apps service principal using RBAC

[BigSlimeGuy]

In the following step, it does not specify how to do something similar using RBAC, or is this not supported?

_Authorize the Azure Logic Apps service to perform operations on your key vault. To grant access to the Azure Logic Apps service principal, use the PowerShell command, Set-AzKeyVaultAccessPolicy, for example:

Set-AzKeyVaultAccessPolicy -VaultName 'TestcertKeyVault' -ServicePrincipalName '7cd684f4-8a78-49b0-91ec-6a35d38739ba' -PermissionsToKeys decrypt, sign, get, list_

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 7712ddfc-c5c6-da29-e84c-05bfd0ca880d
• Version Independent ID: 4f2d0608-cdf4-183f-c12c-ae586eca86d5
• Content: Add certificates to secure B2B messages in workflows - Azure Logic Apps
• Content Source: articles/logic-apps/logic-apps-enterprise-integration-certificates.md
• Service: logic-apps
• GitHub Login: @divyaswarnkar
• Microsoft Alias: divswa

[ManoharLakkoju-MSFT]

@BigSlimeGuy Thanks for your feedback! We will investigate and update as appropriate.

[mumurug-MSFT]

@divyaswarnkar @ecfan The access policy is a legacy authorization system, and the recommended approach is to use RBAC role https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli. Can you please review if we can update this doc?

[ecfan]

assign:wsilveiranz

[mcowart123]

Any word on this? I'm trying to set this up via terraform with an RBAC-enabled key vault and running into this problem. Trying to add the permission with the hard-coded principal ID times out:

...
# magic number principal ID for Logic Apps
resource "azurerm_role_assignment" "as2-edi-logicapp-global" {
  scope                = azurerm_key_vault.as2-edi.id
  role_definition_name = "Key Vault Administrator"
  principal_id         = "7cd684f4-8a78-49b0-91ec-6a35d38739ba"
}

[ecfan]

@BigSlimeGuy, @mcowart123, and @mumurug-MSFT: I've pinged the product team about this, thanks!

[ecfan]

@BigSlimeGuy & @mumurug-MSFT: The following docs have more info about using RBAC with a key vault, so I can add these links to the doc:

• Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
• Migrate from vault access policy to an Azure role-based access control permission model

@mcowart123: For the timeout issue with the key vault, please post the issue on the Key Vault customer feedback page.

[ecfan]

Doc updates to be published after 4 PM Pacific Time.