kv-rbac-sample.bicep

@description('The secret')
@secure()
param secretValue string

var names = {
  identity: {
    setup: 'uami-setup'
    runtime: 'uami-runtime'
  }
  runtimeKeyVault: {
    name: 'kvchgp${uniqueString(resourceGroup().id)}'
    secretName: 'somesecret'
  }
}

var roles = {
  Owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
  Contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
  Reader: 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
  KeyVault: {
    KeyVaultSecretsOfficer: 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7'
    KeyVaultSecretsUser: '4633458b-17de-408a-b874-0445c86b69e6'
  }
}

// Will be attached to compute resources which submit metering information,
// and therefore need to be able to retrieve the connection string from KeyVault
resource runtimeIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
  name: names.identity.runtime
  location: location
}

resource runtimeKeyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
  name: names.runtimeKeyVault.name
  location: location
  properties: {
    sku: { family: 'A', name: 'standard' }
    tenantId: subscription().tenantId
    enableRbacAuthorization: true
    enableSoftDelete: false
    networkAcls: {
       bypass: 'AzureServices'
       defaultAction: 'Allow'
    }
  }  
}

resource meteringSubmissionSecret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
	parent: runtimeKeyVault
	name: names.runtimeKeyVault.secretName
	properties: {
	  value: secretValue
	}
}

resource runtimeIdentityCanReadMeteringSubmissionSecretPrincipalId 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid(runtimeIdentity.id, roles.KeyVault.KeyVaultSecretsUser, runtimeKeyVault.id)  
  scope: runtimeKeyVault
  properties: {
    description: '${runtimeIdentity.name} should be a KeyVaultSecretsUser on the ${runtimeKeyVault.id}'
    principalId: runtimeIdentity.properties.principalId
    principalType: 'ServicePrincipal'
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roles.KeyVault.KeyVaultSecretsUser)
    delegatedManagedIdentityResourceId: runtimeIdentity.id
  }
}

kv-rbac-sample.json

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.7.4.23292",
      "templateHash": "12308555932277230400"
    }
  },
  "parameters": {
    "secretValue": {
      "type": "secureString",
      "metadata": {
        "description": "The secret"
      }
    },
    "location": {
      "type": "string"
    }
  },
  "variables": {
    "names": {
      "identity": {
        "setup": "uami-setup",
        "runtime": "uami-runtime"
      },
      "runtimeKeyVault": {
        "name": "[format('kvchgp{0}', uniqueString(resourceGroup().id))]",
        "secretName": "somesecret"
      }
    },
    "roles": {
      "Owner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
      "Contributor": "b24988ac-6180-42a0-ab88-20f7382dd24c",
      "Reader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
      "KeyVault": {
        "KeyVaultSecretsOfficer": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
        "KeyVaultSecretsUser": "4633458b-17de-408a-b874-0445c86b69e6"
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
      "apiVersion": "2018-11-30",
      "name": "[variables('names').identity.runtime]",
      "location": "[parameters('location')]"
    },
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2021-11-01-preview",
      "name": "[variables('names').runtimeKeyVault.name]",
      "location": "[parameters('location')]",
      "properties": {
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "tenantId": "[subscription().tenantId]",
        "enableRbacAuthorization": true,
        "enableSoftDelete": false,
        "networkAcls": {
          "bypass": "AzureServices",
          "defaultAction": "Allow"
        }
      }
    },
    {
      "type": "Microsoft.KeyVault/vaults/secrets",
      "apiVersion": "2021-11-01-preview",
      "name": "[format('{0}/{1}', variables('names').runtimeKeyVault.name, variables('names').runtimeKeyVault.secretName)]",
      "properties": {
        "value": "[parameters('secretValue')]"
      },
      "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', variables('names').runtimeKeyVault.name)]"
      ]
    },
    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2020-10-01-preview",
      "scope": "[format('Microsoft.KeyVault/vaults/{0}', variables('names').runtimeKeyVault.name)]",
      "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('names').identity.runtime), variables('roles').KeyVault.KeyVaultSecretsUser, resourceId('Microsoft.KeyVault/vaults', variables('names').runtimeKeyVault.name))]",
      "properties": {
        "description": "[format('{0} should be a KeyVaultSecretsUser on the {1}', variables('names').identity.runtime, resourceId('Microsoft.KeyVault/vaults', variables('names').runtimeKeyVault.name))]",
        "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('names').identity.runtime)).principalId]",
        "principalType": "ServicePrincipal",
        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('roles').KeyVault.KeyVaultSecretsUser)]",
        "delegatedManagedIdentityResourceId": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('names').identity.runtime)]"
      },
      "dependsOn": [
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('names').identity.runtime)]",
        "[resourceId('Microsoft.KeyVault/vaults', variables('names').runtimeKeyVault.name)]"
      ]
    }
  ]
}