Merge pull request #88865 from dragav/sf-mi-docnsamples-update-0912

v-albemi · web-flow · commit 7e11fba60ad1 · 2019-09-17T15:02:48.000-07:00
update doc page to demonstrate ACLing with system-assigned MI
diff --git a/articles/service-fabric/how-to-grant-access-other-resources.md b/articles/service-fabric/how-to-grant-access-other-resources.md
@@ -36,9 +36,14 @@ Similarly with accessing storage, you can leverage the managed identity of a Ser
 
 ![Key Vault access policy](../key-vault/media/vs-secure-secret-appsettings/add-keyvault-access-policy.png)
 
-The following example illustrates granting access to a vault via a template deployment; add the snippet below as another entry under the `resources` element of the template.
+The following example illustrates granting access to a vault via a template deployment; add the snippet(s) below as another entry under the `resources` element of the template. The sample demonstrates access granting for both user-assigned and system-assigned identity types, respectively - choose the applicable one.
 
 ```json
+	# under 'variables':
+  "variables": {
+		"userAssignedIdentityResourceId" : "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedIdentityName'))]",
+	}
+	# under 'resources':
 	{
 		"type": "Microsoft.KeyVault/vaults/accessPolicies",
 		"name": "[concat(parameters('keyVaultName'), '/add')]",
@@ -61,6 +66,42 @@ The following example illustrates granting access to a vault via a template depl
 		}
 	},
 ```
+And for system-assigned managed identities:
+```json
+	# under 'variables':
+  "variables": {
+		"sfAppSystemAssignedIdentityResourceId": "[concat(resourceId('Microsoft.ServiceFabric/clusters/applications/', parameters('clusterName'), parameters('applicationName')), '/providers/Microsoft.ManagedIdentity/Identities/default')]"
+	}
+	# under 'resources':
+	{
+		"type": "Microsoft.KeyVault/vaults/accessPolicies",
+		"name": "[concat(parameters('keyVaultName'), '/add')]",
+		"apiVersion": "2018-02-14",
+		"properties": {
+			"accessPolicies": [
+			{
+					"name": "[concat(parameters('clusterName'), '/', parameters('applicationName'))]",
+					"tenantId": "[reference(variables('sfAppSystemAssignedIdentityResourceId'), '2018-11-30').tenantId]",
+					"objectId": "[reference(variables('sfAppSystemAssignedIdentityResourceId'), '2018-11-30').principalId]",
+					"dependsOn": [
+						"[variables('sfAppSystemAssignedIdentityResourceId')]"
+					],
+					"permissions": {
+						"secrets": [
+							"get",
+							"list"
+						],
+						"certificates": 
+						[
+							"get", 
+							"list"
+						]
+					}
+			},
+		]
+		}
+	}
+```
 
 For more details, please see [Vaults - Update Access Policy](https://docs.microsoft.com/rest/api/keyvault/vaults/updateaccesspolicy).
 
