Referencing a Managed Service Identity in ARM-template deploy

半城伤御伤魂 提交于 2019-12-03 11:07:12

问题


When deploying a Microsoft.Web resource with the new MSI feature the principleId GUID for the created user is visible after deployment. Screenshot below shows the structure in the ARM-template.

What would be the best way to fetch this GUID later in the pipeline to be able to assign access rights in (for instance) Data Lake Store?

Is it possible to use any of the existing ARM template functions to do so?


回答1:


I just struggled with this myself. The solution that worked for me was found deep in the comments here.

Essentially, you create a variable targeting the resource you are creating with the MSI support. Then you can use the variable to fetch the specific tenantId and principalId values. Not ideal, but it works. In my examples, I'm configuring Key Vault permissions for a Function App.

To create the variable, use the syntax below.

"variables": {
    "identity_resource_id": "[concat(resourceId('Microsoft.Web/sites', variables('appName')), '/providers/Microsoft.ManagedIdentity/Identities/default')]"
}

To get the actual values for the tenantId and principalId, reference them with the following syntax:

{
    "tenantId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').tenantId]",
    "objectId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').principalId]"
}

Hope this helps anyone who comes along with the same problem!




回答2:


Here are a few sample templates: https://github.com/rashidqureshi/MSI-Samples that show a) how to grant RBAC access to ARM resources b) how to create access policy for keyvault using the OID of the MSI



来源:https://stackoverflow.com/questions/46278046/referencing-a-managed-service-identity-in-arm-template-deploy

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!