Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ARM Template: Looking up a user object Id

I'm trying to programatically insert the object Id of a certain user account into an ARM template, like this:

"objectId": "[reference(resourceId('Microsoft.AAD/domainServices/user/read','domain','User.Name'),'2019-01-01').Id]",

I've tried many different resource providers in an attempt to get this to work. For example:

"objectId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/read','[email protected]'),'2019-01-01').Id]",

and:

"objectId": "[reference(resourceId('Microsoft.Portal/usersettings/read','[email protected]'),'2018-10-01').Id]"

I looked up the API call used to get a list of users, to see if that would hint at the correct provider to use (it didn't):

GET https://graph.windows.net/{TenantId}/users?api-version=1.6 HTTP/1.1

I've been looking through this list of provider operations but have found two problems with this:

1 I can't see an operation which looks relevant to what I want to do.

2 It doesn't provide information on what parameters are required.

So I guess I have two questions really:

  1. How do I dynamically look up the ObjectId of a user in an ARM template?
  2. How do I find out in future which lookup functions are available and which parameters are required?
like image 752
Dicky Moore Avatar asked Jun 04 '19 09:06

Dicky Moore


3 Answers

You could not insert the user object Id in the ARM template.

The user account is managed by your Azure AD tenant, it is not the azure resource, the ARM template is for the azure resources in your subscription.

Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview

Azure Resource Manager is the deployment and management service for Azure. It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription.

like image 107
Joy Wang Avatar answered Sep 28 '22 03:09

Joy Wang


You can try from below code if you have VM in same template and enabled managed identity

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions-resource#remarks-1

{
  "type": "Microsoft.KeyVault/vaults",
  "properties": {
    "tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
    "accessPolicies": [
      {
        "tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
        "objectId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.principalId]",
        "permissions": {
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ]
        }
      }
    ]
like image 36
Amit Kumar Avatar answered Sep 28 '22 02:09

Amit Kumar


I find the best way to achieve this is to expose the ID as a parameter, then when you call the ARM template deployment, simply pass the parameter into the template.

How do you get the ID into the template parameter? Well, I run my ARM deployments via Azure DevOps CI/CD and I use the pipeline task AzureAppConfiguration.azure-app-configuration-task.custom-build-release-task.AzureAppConfiguration@1 to extract the ID from my own custom configuration setup.

How do you get the ID into the Azure App Configuration service? Well, when I seed an environment for the first time there will be some initial setup, e.g. users and groups. I just then run some scripts to extract this kind of "metadata" into my Azure App Configuration service.

e.g.

APP_ID=$(az ad sp list --all --query "[?displayName=='name-of-spn'].appId" --output tsv)

az appconfig kv set --name name-of-app-config-store --key name-of-spn-app-id --value ${APP_ID}

like image 45
L Myring Avatar answered Sep 28 '22 03:09

L Myring