I'm trying to add a Batch Account (in User subscription mode) configuration to ARM script but I'm facing a problem with circular dependency.
- Batch account requires KeyVaultReference.
- Key Vault access policies require BatchAccount object id.
In this situation I'm not able to create a fully configured services. Do you know how can I create both services from the same ARM script?
Please see the example below:
{
"name": "[variables('keyVaultName')]",
"type": "Microsoft.KeyVault/vaults",
"location": "[resourceGroup().location]",
"apiVersion": "2015-06-01",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]",
"permissions": {
"keys": [
"Update"
]
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]"
]
},
{
"name": "[variables('batchAccountName')]",
"type": "Microsoft.Batch/batchAccounts",
"location": "[resourceGroup().location]",
"apiVersion": "2017-05-01",
"properties": {
"poolAllocationMode": "UserSubscription",
"autoStorage": {
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]"
},
"keyVaultReference": {
"id": "[concat(subscription().id, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"url": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]",
"[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
]
}
The object id is not related with batch account. The object id is the user's object id who you set that could access the key vault. The user could be a Azure AD account, Microsoft account or a service principal. For a Azure AD account, you could get the id with PowerShell cmdlet
Get-AzureRmADUser
. This blog maybe helpful.As you did, you could add a depends on key vault when you create batch account. The following template works for me.