Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Referencing a Managed Service Identity in ARM-template deploy

Tags:

azure-resource-manager

azure-managed-identity

When deploying a Microsoft.Web resource with the new MSI feature the principleId GUID for the created user is visible after deployment. Screenshot below shows the structure in the ARM-template.

enter image description here

What would be the best way to fetch this GUID later in the pipeline to be able to assign access rights in (for instance) Data Lake Store?

Is it possible to use any of the existing ARM template functions to do so?

like image 877
soderstromOlov Avatar asked Sep 18 '17 11:09

soderstromOlov

People also ask

How do I get the resource ID in ARM template?

When using ARM Templates, we can use the Outputs section of the ARM template to display the resource ID of a resource. In our scenario, we knew the name of the virtual network, so we used with the ResourceID function.

How do I get client ID in ARM template?

Client ID is listed on the portal page at the top but not in the properties list :( This is for user-assigned not system assigned identities.

How do I add managed identity to app service?

Add a managed identityAccess your App Services resource in the Azure portal. If you don't have an existing App Services resource to use, create one. Scroll down to the Settings group in the left pane, and select Identity. On the System assigned tab, switch Status to On and select Save.

How do I use an existing resource in ARM template?

To modify existing resources using ARM templates, export the template for the resource from within the Azure Portal. Then download it locally. You can then modify it to update settings for Cosmos resources. ARM templates have api-versions.

2 Answers

I just struggled with this myself. The solution that worked for me was found deep in the comments here.

Essentially, you create a variable targeting the resource you are creating with the MSI support. Then you can use the variable to fetch the specific tenantId and principalId values. Not ideal, but it works. In my examples, I'm configuring Key Vault permissions for a Function App.

To create the variable, use the syntax below.

"variables": {     "identity_resource_id": "[concat(resourceId('Microsoft.Web/sites', variables('appName')), '/providers/Microsoft.ManagedIdentity/Identities/default')]" }

To get the actual values for the tenantId and principalId, reference them with the following syntax:

{     "tenantId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').tenantId]",     "objectId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').principalId]" }

Hope this helps anyone who comes along with the same problem!

like image 58
Sonoilmedico Avatar answered Sep 23 '22 01:09

Sonoilmedico

Here are a few sample templates: https://github.com/rashidqureshi/MSI-Samples that show a) how to grant RBAC access to ARM resources b) how to create access policy for keyvault using the OID of the MSI

like image 40
rashid Avatar answered Sep 25 '22 01:09

rashid
Sign in to Comment

Related questions

Redirect HTTP to HTTPS in Azure Application Gateway
App Insights Status Monitor Extension Failing to deploy with ARM template
Can Application Insights be used with a Linux Web App running .NET Core 3 runtime?
How can I set "Https only" for my Azure web app using an ARM template?
Where is the list of deployment template schema api versions?
Can I loop over properties in ARM templates?
Cancelling azure resource manager deployment
Azure Functions ARM Template deploy deletes Functions
How to get the Azure AD objectid of the signed in user?
Is it possible to have conditional property in ARM template
Azure move app service to a different app service plan
Create Azure blob/fileshare container through ARM template
Is it possible to script the configuration of Azure App Service Authentication?
How to get clientId and clientsecret for Azure (ARM) deployment template
Enable Azure StorageV2 static website (preview) feature using ARM template
When should we use a parameter when to use variable in ARM templates
Can I have an ARM template resource with a COPY array of 0 to N
Login-AzureRmAccount : The term 'Login-AzureRmAccount' is not recognized as the name of a cmdlet, function, script
What does "hidden-link:" mean in Azure Resource Manager Tags
How to escape single quote in ARM template

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!