Answered by:
Create a new Azure environment

Question
-
We are using github as our ARM repo and Jenkins to deploy the new environment.
Scenario:
- Create resource group.
- Create user assigned managed identity. (it will be attached to two or more VM via ARM)
- Create storage account.
- Create a container on the storage account.
- Provide Read Role to the user-assigned managed identity on the resource group.
- Provide Storage account key operator service Role permission to the user-assigned managed identity on the newly created storage account.
- Provide Blob Data Reader Role to the user-assigned managed identity on the newly created container in the storage account.
- Create 2 Linux VM and assign user-assigned managed identity.
- Write the user-assigned managed identity properties (client-id, principal-id and …) to the root folder of the VM using an extension.
- Retrieve and write the storage account keys into a file under the root folder of the VM using an extension.
I cannot use CLI on the VMs unless there is a way, not using az login.
I can do it all using Azure CLI but it needs to be automated using ARM template. If any of these cannot be done via the ARM template is there any workaround?
Item 1 – 4 and 8 are easy to do but the items 5 – 6 and 9 – 10 are a bit challenging and I cannot find any way to work around it.
Could someone please help me to get this off the ground?
Arash@C3
Answers
-
Here is the template where i have passed the name of the userAssignedIdentity to the template and retrieved the principleId.
{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "principalId": { "type": "string", "metadata": { "description": "Principal ID to set the access for" } }, "builtInRoleType": { "type": "string", "allowedValues": [ "Owner", "Contributor", "Reader" ], "metadata": { "description": "Built-in role to assign" } }, "roleNameGuid": { "type": "string", "defaultValue": "[newGuid()]", "metadata": { "description": "A new GUID used to identify the role assignment" } } }, "variables": { "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]" }, "resources": [ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2018-09-01-preview", "name": "[parameters('roleNameGuid')]", "properties": { "roleDefinitionId": "[variables(parameters('builtInRoleType'))]", "principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('principalId')), '2018-11-30').principalId]" } } ] }
And also here is link to an example where user assigned identity created in ARM and same has been applied to storage account.
Hope this helps!- Edited by SwathiDhanwada-MSFTMicrosoft employee, Moderator Wednesday, August 21, 2019 6:55 AM
- Proposed as answer by SwathiDhanwada-MSFTMicrosoft employee, Moderator Wednesday, August 21, 2019 6:55 AM
- Marked as answer by ArashSafavi Monday, August 26, 2019 12:51 AM
All replies
-
-
-
Here are some suggestions that might help you in achieving your request
Here is the template for providing read role to the user-assigned managed identity on the resource group. Pass the Object Id of user-assigned managed identity for principle id.
{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "principalId": { "type": "string", "metadata": { "description": "The principal to assign the role to" } }, "builtInRoleType": { "type": "string", "allowedValues": [ "Owner", "Contributor", "Reader" ], "metadata": { "description": "Built-in role to assign" } }, "roleNameGuid": { "type": "string", "defaultValue": "[newGuid()]", "metadata": { "description": "A new GUID used to identify the role assignment" } } }, "variables": { "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]" }, "resources": [ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2018-09-01-preview", "name": "[parameters('roleNameGuid')]", "properties": { "roleDefinitionId": "[variables(parameters('builtInRoleType'))]", "principalId": "[parameters('principalId')]" } } ] }
Here is the template to provide Storage account key operator service Role permission to the user-assigned managed identity on the newly created storage account.
{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "principalId": { "type": "string", "metadata": { "description": "The principal to assign the role to" } }, "builtInRoleType": { "type": "string", "allowedValues": [ "Storage Account Key Operator Service Role" ], "metadata": { "description": "Built-in role to assign" } }, "roleNameGuid": { "type": "string", "defaultValue": "[newGuid()]", "metadata": { "description": "A new GUID used to identify the role assignment" } }, "storageAccountName": { "type": "string" } }, "variables": { "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]" }, "resources": [ { "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments", "apiVersion": "2017-05-01", "name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId))]", "properties": { "roleDefinitionId": "[variables(parameters('builtInRoleType'))]", "principalId": "[parameters('principalId')]" } } ] }
For writing user-assigned managed identity properties to VM using an extension and retrieving storage account keys into file you need create custom Powershell script. For executing the Powershell script on VM as as extension, you use Custom Script Extension for windows. Here are the links to the document that will help you in achieving this.
Custom Script Extension for Windows
Deploy virtual machine extensions with Azure Resource Manager templates
- Proposed as answer by SwathiDhanwada-MSFTMicrosoft employee, Moderator Tuesday, August 20, 2019 6:41 AM
-
Hi Swathi,
Many thanks for the proposed solution.
The problem is I have to pass the Object ID of the user-assigned managed identity which is generated by the same ARM template to the templates that you provided as a variable but looks like I cannot retrieve the principal ID or the Object ID of the user-assigned identity within the ARM template.
I used:
"parameters": {
"principalId": {
"type": "string",
"value": "[reference('Microsoft.ManagedIdentity/userAssignedIdentities/c3mi-01', '2018-11-03').principalId]",
"metadata": {
"description": "Principal ID to set the access for"
}But it doesn't work.
Arash@C3
-
Here is the template where i have passed the name of the userAssignedIdentity to the template and retrieved the principleId.
{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "principalId": { "type": "string", "metadata": { "description": "Principal ID to set the access for" } }, "builtInRoleType": { "type": "string", "allowedValues": [ "Owner", "Contributor", "Reader" ], "metadata": { "description": "Built-in role to assign" } }, "roleNameGuid": { "type": "string", "defaultValue": "[newGuid()]", "metadata": { "description": "A new GUID used to identify the role assignment" } } }, "variables": { "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]" }, "resources": [ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2018-09-01-preview", "name": "[parameters('roleNameGuid')]", "properties": { "roleDefinitionId": "[variables(parameters('builtInRoleType'))]", "principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('principalId')), '2018-11-30').principalId]" } } ] }
And also here is link to an example where user assigned identity created in ARM and same has been applied to storage account.
Hope this helps!- Edited by SwathiDhanwada-MSFTMicrosoft employee, Moderator Wednesday, August 21, 2019 6:55 AM
- Proposed as answer by SwathiDhanwada-MSFTMicrosoft employee, Moderator Wednesday, August 21, 2019 6:55 AM
- Marked as answer by ArashSafavi Monday, August 26, 2019 12:51 AM
-