发表新帖
发表新帖

ARM Template: Looking up a user object Id

前端 未结
关注
3 1104
小鲜肉
小鲜肉 2021-01-19 11:04

I\'m trying to programatically insert the object Id of a certain user account into an ARM template, like this:

\"objectId\": \"[reference(resourceId(\'Micros
相关标签:
3条回答
  • 温柔的废话
    2021-01-19 11:21

    You can try from below code if you have VM in same template and enabled managed identity

    https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions-resource#remarks-1

    {
  "type": "Microsoft.KeyVault/vaults",
  "properties": {
    "tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
    "accessPolicies": [
      {
        "tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
        "objectId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.principalId]",
        "permissions": {
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ]
        }
      }
    ]
    0 讨论(0)
  • 眼角桃花
    2021-01-19 11:25

    You could not insert the user object Id in the ARM template.

    The user account is managed by your Azure AD tenant, it is not the azure resource, the ARM template is for the azure resources in your subscription.

    Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview

    Azure Resource Manager is the deployment and management service for Azure. It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription.

    0 讨论(0)
  • 别跟我提以往
    2021-01-19 11:40

    I find the best way to achieve this is to expose the ID as a parameter, then when you call the ARM template deployment, simply pass the parameter into the template.

    How do you get the ID into the template parameter? Well, I run my ARM deployments via Azure DevOps CI/CD and I use the pipeline task AzureAppConfiguration.azure-app-configuration-task.custom-build-release-task.AzureAppConfiguration@1 to extract the ID from my own custom configuration setup.

    How do you get the ID into the Azure App Configuration service? Well, when I seed an environment for the first time there will be some initial setup, e.g. users and groups. I just then run some scripts to extract this kind of "metadata" into my Azure App Configuration service.

    e.g.

    APP_ID=$(az ad sp list --all --query "[?displayName=='name-of-spn'].appId" --output tsv)

    az appconfig kv set --name name-of-app-config-store --key name-of-spn-app-id --value ${APP_ID}

    0 讨论(0)
 看不清?
提交回复
热议问题