在ARM模板部署中引用托管服务身份 [英] Referencing a Managed Service Identity in ARM-template deploy

问题描述

在部署具有新MSI功能的Microsoft.Web资源时，将在部署后显示所创建用户的PrincipledId GUID.下面的屏幕快照显示了ARM模板中的结构.

When deploying a Microsoft.Web resource with the new MSI feature the principleId GUID for the created user is visible after deployment. Screenshot below shows the structure in the ARM-template.

稍后在管道中获取此GUID以便能够在(例如)Data Lake Store中分配访问权限的最佳方法是什么?

What would be the best way to fetch this GUID later in the pipeline to be able to assign access rights in (for instance) Data Lake Store?

是否可以使用任何现有的ARM模板函数来这样做?

Is it possible to use any of the existing ARM template functions to do so?

推荐答案

我自己为此苦苦挣扎.在注释此处.

I just struggled with this myself. The solution that worked for me was found deep in the comments here.

本质上，您将创建一个变量，该变量针对具有MSI支持的正在创建的资源.然后，您可以使用该变量来获取特定的tenantId和principalId值.不理想，但是可以.在我的示例中，我正在为Function App配置Key Vault权限.

Essentially, you create a variable targeting the resource you are creating with the MSI support. Then you can use the variable to fetch the specific tenantId and principalId values. Not ideal, but it works. In my examples, I'm configuring Key Vault permissions for a Function App.

要创建变量，请使用以下语法.

To create the variable, use the syntax below.

"variables": {
    "identity_resource_id": "[concat(resourceId('Microsoft.Web/sites', variables('appName')), '/providers/Microsoft.ManagedIdentity/Identities/default')]"
}

要获取tenantId和principalId的实际值，请使用以下语法引用它们:

To get the actual values for the tenantId and principalId, reference them with the following syntax:

{
    "tenantId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').tenantId]",
    "objectId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').principalId]"
}

希望这可以帮助遇到相同问题的任何人！

Hope this helps anyone who comes along with the same problem!

这篇关于在ARM模板部署中引用托管服务身份的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！