From 225b8cbe12f2815fc1caa05cb854e0057a9ead9d Mon Sep 17 00:00:00 2001
From: "munabeel@microsoft.com" <munabeel@microsoft.com>
Date: Mon, 9 Dec 2024 15:06:16 -0800
Subject: [PATCH] Addressing issue# 2875, added access policies for the
 keyvault to ensure user principal is assigned the proper get and list
 permission.

---
 .../contoso_motors/bicep/data/keyVault.bicep        | 13 ++++++++++++-
 azure_jumpstart_ag/contoso_motors/bicep/main.bicep  |  1 +
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/azure_jumpstart_ag/contoso_motors/bicep/data/keyVault.bicep b/azure_jumpstart_ag/contoso_motors/bicep/data/keyVault.bicep
index c0b7ad3428..0ce69f7cc6 100644
--- a/azure_jumpstart_ag/contoso_motors/bicep/data/keyVault.bicep
+++ b/azure_jumpstart_ag/contoso_motors/bicep/data/keyVault.bicep
@@ -24,6 +24,9 @@ param resourceTags object = {
   Project: 'Jumpstart_azure_aio'
 }
 
+@description('Azure service principal object id')
+param spnObjectId string
+
 resource akv 'Microsoft.KeyVault/vaults@2023-02-01' = {
   name: akvNameSite1
   location: location
@@ -33,7 +36,15 @@ resource akv 'Microsoft.KeyVault/vaults@2023-02-01' = {
       name: akvSku
       family: 'A'
     }
-    accessPolicies: []
+    accessPolicies: [
+      {
+      tenantId: tenantId
+      objectId: spnObjectId
+      permissions: {
+        secrets: ['get', 'list']
+      }
+    }
+  ]
     enableSoftDelete: false
     tenantId: tenantId
   }
diff --git a/azure_jumpstart_ag/contoso_motors/bicep/main.bicep b/azure_jumpstart_ag/contoso_motors/bicep/main.bicep
index a2932d6149..8392341da1 100644
--- a/azure_jumpstart_ag/contoso_motors/bicep/main.bicep
+++ b/azure_jumpstart_ag/contoso_motors/bicep/main.bicep
@@ -187,6 +187,7 @@ module keyVault 'data/keyVault.bicep' = {
     akvNameSite1: akvNameSite1
     akvNameSite2: akvNameSite2
     location: location
+    spnObjectId: spnObjectId
   }
 }