Referencing a Managed Service Identity in ARM-template deploy

Question

When deploying a Microsoft.Web resource with the new MSI feature the principleId GUID for the created user is visible after deployment. Screenshot below shows the structure in the ARM-template.

What would be the best way to fetch this GUID later in the pipeline to be able to assign access rights in (for instance) Data Lake Store?

Is it possible to use any of the existing ARM template functions to do so?

score 62 · Answer 1 · answered Sep 27 '17 at 01:04

62

I just struggled with this myself. The solution that worked for me was found deep in the comments here.

Essentially, you create a variable targeting the resource you are creating with the MSI support. Then you can use the variable to fetch the specific tenantId and principalId values. Not ideal, but it works. In my examples, I'm configuring Key Vault permissions for a Function App.

To create the variable, use the syntax below.

"variables": {
    "identity_resource_id": "[concat(resourceId('Microsoft.Web/sites', variables('appName')), '/providers/Microsoft.ManagedIdentity/Identities/default')]"
}

To get the actual values for the tenantId and principalId, reference them with the following syntax:

{
    "tenantId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').tenantId]",
    "objectId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').principalId]"
}

Hope this helps anyone who comes along with the same problem!

answered Sep 27 '17 at 01:04

Sonoilmedico

1,353
1
9
9

1

deserves more upvotes!! solved my issue after banging about accesspolicies updation :) – Mandar Jogalekar Apr 23 '18 at 10:39
14

Thanks! For completeness, if you don't want to use a variable, you can also use the following directly `"tenantId": "[reference(concat('Microsoft.Web/sites/', parameters('webSiteName')), '2018-02-01', 'Full').identity.tenantId]",` – Jan_V Jul 24 '18 at 19:25
7

And even better with [resource id functions](https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions-resource#resourceid): `"[reference(resourceId('Microsoft.Web/sites', variables('appName')), parameters('apiVersion'), 'Full').identity.tenantId]"` – Nuno André Sep 27 '18 at 11:18
4

I used it like this: `"tenantId": "[subscription().tenantId]", "objectId": "[reference(concat('Microsoft.Web/sites/', variables('app_name_backend')), '2016-08-01', 'Full').identity.principalId]"` – martinoss Nov 20 '18 at 09:11
I would like to know why when I try to use any of these above examples that includes use 'Full' I get an error saying that 'reference' function only accepts between 1 and 2 parameters?? – JTester Jun 02 '19 at 20:50
If you try with `Microsoft.Sql/servers`, the property identity and principalId are not available. So, am I correct to guess that these properties are available depending of the resource you are trying to obtain the principalId? – acarlstein Aug 12 '20 at 19:00

score 3 · Answer 2 · answered Sep 18 '17 at 17:19

3

Here are a few sample templates: https://github.com/rashidqureshi/MSI-Samples that show a) how to grant RBAC access to ARM resources b) how to create access policy for keyvault using the OID of the MSI

answered Sep 18 '17 at 17:19

rashid

61
1

2

I cant seem to make the [reference(resource,apiversion,'Full')] (i.e. the 'Full') portion work - appears to be invalid syntax? Arm template gets rejected - what am i missing to use the overloaded 'Full' parameter? Cant find it in ARM documentation either? – Rosstified Sep 18 '17 at 23:09
Did you ever find a solution to this? – JTester Jun 02 '19 at 20:51

score 2 · Answer 3 · answered Feb 09 '21 at 12:50

There is new way to get identity information. You can directly get them from resource that support Managed Identity for Azure resources (Managed Service Identity in the past).

{
  "tenantId": "[reference(resourceId('Microsoft.Web/sites', variables('serviceAppName')),'2019-08-01', 'full').identity.tenantId]",
  "objectId": "[reference(resourceId('Microsoft.Web/sites', variables('serviceAppName')),'2019-08-01', 'full').identity.principalId]",
}

You can also get principal Id for resource in other resource group or/and subscription. ResourceId supports optional parameters:

  "tenantId": "[reference(resourceId(variables('resourceGroup'), 'Microsoft.Web/sites', variables('serviceAppName')),'2019-08-01', 'full').identity.tenantId]",

or

"tenantId": "[reference(resourceId(variables('subscription'), variables('resourceGroup'), 'Microsoft.Web/sites', variables('serviceAppName')),'2019-08-01', 'full').identity.tenantId]",

Referencing a Managed Service Identity in ARM-template deploy

3 Answers3

Linked