How to assign RBAC to KeyVault in another resourceGroup

Question

I am deploying a couple of web apps - as the web apps build I need to be able to assign the system identity of each web app to an RABC role for a KeyVault in another resource group that has my certificates.

The idea is that once the web apps are deployed I will pull the certificates from the other key vault and set up custom domains.

I'm trying something like this

resource certVault'Microsoft.Authorization/roleAssignments@2020-04-01-preview'   = {
  name: keyVaultName
  properties: {
    principalId: AppService.outputs.webAppSystemID
    roleDefinitionId: roleid
  }
}

Update: I've tried this, but still no luck

resource certKeyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
  name: 'certbotkv423452'
  scope: resourceGroup(subscription().subscriptionId, 'rg-cert-keyvault' )
}


resource roleAssignSecretsUser 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [ for i in range(0, length(webAppSettings.webApps)): {
  name: guid(subscription().id, toLower('app-${webAppSettings.webApps[i].name}-${resourceGroupNameSuffix}'), roleDefinitionId,'-0${(i + 1)}')
  scope: certKeyVault
  properties: {
    principalId: AppService[i].outputs.webAppSystemID
    principalType: 'ServicePrincipal'
    roleDefinitionId: roleDefinitionId
  }
}]

So how do i just take the system assigned ID from the webapp and assign the role?

Thanks

Answer 1

You need to set scope on the module that has RBAC assignment (your second snippet).

The value of the scope for the module should be same as you set scope of the key vault existing resource.