Should be possible to GetKeyVault from different subscriptions.

[evgenyb]

Quite often, when your organization work with multiple subscriptions, some of the secrets are stored at key-vaults owned and maintained by different teams in different subscriptions. At the same time, I would like to assign my resources with Access policies to these key-vaults from my pulumi stack. One particular use-case we are currently working on:

• SSL certificates are stored at keyvault ssl-kv in subscription A
• All my resources are provisioned to the subscription B
• I provision API Management (APIM) with system assign used identity
• I provision User Assign Managed Identity and assign it to Application Gateway (AGW)
• Both APIM and AGW are configured that custom domains and http listeners read SSL certificates from ssl-kv key-vault
• Both System and User Assigned Managed Identities need to be assigned with secret get access policy at ssl-kv

Our idea was to use GetKeyVault, but GetKeyVault only can get keyvault from the same subscription.

What we wish we could do is as follow:

var keyVault = Output.Create(GetKeyVault.InvokeAsync(new GetKeyVaultArgs
{
    Name = "mykeyvault",
    ResourceGroupName = "some-resource-group",
    SubscriptionId = "SUBSCRITPION-ID"
}));
var vaultId = keyVault.Apply(kv => kv.Id);

[stack72]

Hi @evgenyb

What you can do here is to create a new provider for the alternative subscription and make the keyvault Get using the new provider

https://www.pulumi.com/docs/reference/pkg/azure/provider/

You can pass a subscription ID to that provider and then you can do something like

var newSubProvider = new Azure.Provider("prov-name", new Azure.ProviderArgs
{
  SubscriptionId = ""
});

var keyVault = Output.Create(GetKeyVault.InvokeAsync(new GetKeyVaultArgs
{
    Name = "mykeyvault",
    ResourceGroupName = "some-resource-group",
}, new CustomResourceOptions
{
Provider = newSubProvider,
});

Apologies for the formatting here - I've just tried to type C# in GitHub Mobile app but I think you can see what I am saying