I'm trying to programatically insert the object Id of a certain user account into an ARM template, like this:
"objectId": "[reference(resourceId('Microsoft.AAD/domainServices/user/read','domain','User.Name'),'2019-01-01').Id]",
I've tried many different resource providers in an attempt to get this to work. For example:
"objectId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/read','user#domain.onmicrosoft.com'),'2019-01-01').Id]",
and:
"objectId": "[reference(resourceId('Microsoft.Portal/usersettings/read','user#domain.onmicrosoft.com'),'2018-10-01').Id]"
I looked up the API call used to get a list of users, to see if that would hint at the correct provider to use (it didn't):
GET https://graph.windows.net/{TenantId}/users?api-version=1.6 HTTP/1.1
I've been looking through this list of provider operations but have found two problems with this:
1 I can't see an operation which looks relevant to what I want to do.
2 It doesn't provide information on what parameters are required.
So I guess I have two questions really:
How do I dynamically look up the ObjectId of a user in an ARM template?
How do I find out in future which lookup functions are available and which parameters are required?
You could not insert the user object Id in the ARM template.
The user account is managed by your Azure AD tenant, it is not the azure resource, the ARM template is for the azure resources in your subscription.
Reference:https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview
Azure Resource Manager is the deployment and management service for Azure. It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription.
You can try from below code if you have VM in same template and enabled managed identity
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions-resource#remarks-1
{
"type": "Microsoft.KeyVault/vaults",
"properties": {
"tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
"accessPolicies": [
{
"tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
"objectId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.principalId]",
"permissions": {
"keys": [
"all"
],
"secrets": [
"all"
]
}
}
]
I find the best way to achieve this is to expose the ID as a parameter, then when you call the ARM template deployment, simply pass the parameter into the template.
How do you get the ID into the template parameter? Well, I run my ARM deployments via Azure DevOps CI/CD and I use the pipeline task AzureAppConfiguration.azure-app-configuration-task.custom-build-release-task.AzureAppConfiguration#1 to extract the ID from my own custom configuration setup.
How do you get the ID into the Azure App Configuration service? Well, when I seed an environment for the first time there will be some initial setup, e.g. users and groups. I just then run some scripts to extract this kind of "metadata" into my Azure App Configuration service.
e.g.
APP_ID=$(az ad sp list --all --query "[?displayName=='name-of-spn'].appId" --output tsv)
az appconfig kv set --name name-of-app-config-store --key name-of-spn-app-id --value ${APP_ID}
I think I have solution.
I am tying to refer to a Client ID in a Managed User Identity generated by an ARM template.
I have declared the name of the Managed Identity as a Parameter to use as an administrator for an SQL server:
[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities',parameters('managed-identity')), '2018-11-30', 'full').properties.clientId]
Once you switch our the parameter you should be good to go.
Related
I am attempting to create Azure Resource Manager templates for several web sites that read secrets from a key vault. In reading How to use managed identities for App Service and Azure Functions, the documentation states that the web site ARM template should contain the following upon creation for authenticating with a key vault:
"identity": {
"type": "SystemAssigned"
}
Once the web site is created, the the identity section changes to the following:
"identity": {
"type": "SystemAssigned",
"tenantId": "<TENANTID>",
"principalId": "<PRINCIPALID>"
}
Does this mean that after running the ARM templates to create the web sites that I have to go back into the ARM template(s) and update the identity section for every site so that I can run the ARM templates to update the sites if need be?
no, you dont have to do that. that is expected. it will not delete that. just rerun it and nothing will change.
I have two resource group running in one subscription and inside the subscription I have two resource group for example: RG1 and RG2. RG1 contains a storage account whereas RG2 contains a web app.I have used an arm template to create the resources. Inside the app-settings in the RG2 web app,I have to manually pass the storage accounts' connection string from RG1. Is there any way to fetch the connection string dynamically using arm script,in this case?
Have you looked at using MSI authentication for your Web App. If you are deploying ARM add this to the Web App
"identity": {
"type": "SystemAssigned"
},
This will create a Managed Service Identity which will eliminage the need to even managed the connection string.
After the App has an MSI then in the Storage account grant the MSI an RBAC role to the storage account by looking up the associated Role ID
and configuring your ARM template to include the RBAC assignment.
Personally I tend to store my roles as json objects variables since the IDs are the same across all subscriptions. It makes them easier to assign to specific object or MSI IDs.
"Contributor": {
"RoleID": "[concat(variables('roleDefinition'), 'b24988ac-6180-42a0-ab88 20f7382dd24c')]",
"RoleName": "Contributor"
},
That way when doing the assignment it would look like:
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[concat(variables('storageName'), '/Microsoft.Authorization/', guid(uniqueString(variables('storageName'),variables('Reader').RoleName,parameters('principalId'))))]",
"dependsOn": [
"[variables('storageName')]"
],
"properties": {
"roleDefinitionId": "[variables('Contributor').RoleID]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', variables('webSiteName')), '2018-02-01', 'Full').identity.principalId]"
}
}
You may need to tweak since the storage account and Web App are in different resource groups but hopefully this gets you started.
If you aren't comfortable with the MSI piece or unable to other options would be to store the secret for the connection in KeyVault and have your Web App call that to get the secret.
on this page:
https://learn.microsoft.com/en-us/azure/data-factory/v1/data-factory-usql-activity
there is a template for using Azure Datalake analytics in azure datafactory with service principal (instead of authorizing manually for each use).
the template looks like this:
{
"name": "AzureDataLakeAnalyticsLinkedService",
"properties": {
"type": "AzureDataLakeAnalytics",
"typeProperties": {
"accountName": "adftestaccount",
"dataLakeAnalyticsUri": "azuredatalakeanalytics.net",
"servicePrincipalId": "<service principal id>",
"servicePrincipalKey": "<service principal key>",
"tenant": "<tenant info, e.g. microsoft.onmicrosoft.com>",
"subscriptionId": "<optional, subscription id of ADLA>",
"resourceGroupName": "<optional, resource group name of ADLA>"
}
}
}
This template does not work in azure data factory, it insists that for the type
"AzureDataLakeAnalytics", it is not possible to have "serviceprincipalid" and it still requires "authorization" as a property.
my question is:
what is the correct json template for configuring a AzureDataLakeAnalyticsLinkedService with a serviceprincipal ?
Ok, sorry for asking a question that i figured out myself in the end.
While it is true that the azure portal complains about the template it does allow you deploy it. I had of course tried this, but since the azure portal does not show the error message, only an error flag, i did not realize the error was from the service principals lack of permission and not from the template it complained about.
So by adding more permissions to the service principal and deploying the json, disregarding the compiler complaints. It did work. Sorry for bothering.
I'm building an Azure Logic App and try to automate the creation of an Azure Redis Cache. There is a specific action for this (Create or update resource) which I was able to bring up:
As you can see I entered 2016-02-01 as the api version. I was trying different values here just guessing from other api versions I know from Microsoft. I can't find any resource on this on the internet. The result of this step will be:
{
"error":
{
"code": "InvalidResourceType",
"message": "The resource type could not be found in the namespace 'Microsoft.Cache' for api version '2016-02-01'."
}
}
What is the correct value for x-ms-api-version and where can I find the history for this value based on the resource provider?
Try
Resource Provider: Microsoft.Cache
Name: Redis/<yourrediscachename>
x-ms-api-version: 2017-02-01
One easy way to know the supported versions for each resource type is using CLI on your Azure Portal, e.g.
az provider show --namespace Microsoft.Cache --query "resourceTypes[?resourceType=='Redis'].apiVersions | [0]"
would return:
[
"2017-02-01",
"2016-04-01",
"2015-08-01",
"2015-03-01",
"2014-04-01-preview",
"2014-04-01"
]
I made it work with:
HTH
I'm looking for any examples of configuring Azure Batch using an Azure Resource Manager template. Googling yielded nothing, and the Azure QuickStart Templates do not yet have any Batch examples, however this SO question implies that it has been done.
What I would like to achieve is, via an ARM template, to create a Batch account and configure a pool (with a minimum number of compute nodes, auto expanding to a maximum number of nodes), and then set the resulting pool ID into my API server's appsettings resource.
I'm about to start reverse engineering it using the Azure Resource Explorer, but any pre-existing examples would be very much appreciated.
Update
So far I've managed to create the resource:
{
"name": "[variables('batchAccountName')]",
"type": "Microsoft.Batch/batchAccounts",
"location": "[resourceGroup().location]",
"apiVersion": "2015-07-01",
"dependsOn": [ ],
"tags": {
"displayName": "BatchInstance"
}
}
And to configure the account settings in the appsettings of my API server:
"BATCH_ACCOUNT_URL": "[concat('https://', reference(concat('Microsoft.Batch/batchAccounts/', variables('batchAccountName'))).accountEndpoint)]",
"BATCH_ACCOUNT_KEY": "[listKeys(resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName')), providers('Microsoft.Batch', 'batchAccounts').apiVersions[0]).primary]",
"BATCH_ACCOUNT_NAME": "[variables('batchAccountName')]"
I still haven't managed to create a pool and fetch the pool ID via ARM, mainly because the pool I created using Batch Explorer never showed up in either the Azure Portal or the Azure Resource Explorer. I'll update this if I find the solution.
Unfortunately we don't have a way today to create a pool using ARM templates. The Azure Portal should show the pools created under your account (even if you didn't created them using ARM).
This is supported, please see the reference docs here: https://learn.microsoft.com/azure/templates/microsoft.batch/2019-04-01/batchaccounts/pools