none
Create a new Azure environment RRS feed

  • Question

  • We are using github as our ARM repo and Jenkins to deploy the new environment.

    Scenario:

    1. Create resource group.
    2. Create user assigned managed identity. (it will be attached to two or more VM via ARM)
    3. Create storage account.
    4. Create a container on the storage account.

    1. Provide Read Role to the user-assigned managed identity on the resource group.
    2. Provide Storage account key operator service Role permission to the user-assigned managed identity on the newly created storage account.
    3. Provide Blob Data Reader Role to the user-assigned managed identity on the newly created container in the storage account.

    1. Create 2 Linux VM and assign user-assigned managed identity.

    1. Write the user-assigned managed identity properties (client-id, principal-id and …) to the root folder of the VM using an extension.
    2. Retrieve and write the storage account keys into a file under the root folder of the VM using an extension.

    I cannot use CLI on the VMs unless there is a way, not using az login. 

    I can do it all using Azure CLI but it needs to be automated using ARM template. If any of these cannot be done via the ARM template is there any workaround?

    Item 1 – 4 and 8 are easy to do but the items 5 – 6 and 9 – 10 are a bit challenging and I cannot find any way to work around it.

    Could someone please help me to get this off the ground?


    Arash@C3

    Wednesday, August 14, 2019 6:36 AM

Answers

  • Here is the template where i have passed the name of the userAssignedIdentity to the template and retrieved the principleId.

    {
      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "principalId": {
            "type": "string",
            "metadata": {
                "description": "Principal ID to set the access for"
                }
        }, 
        "builtInRoleType": {
          "type": "string",
          "allowedValues": [
            "Owner",
            "Contributor",
            "Reader"
          ],
          "metadata": {
            "description": "Built-in role to assign"
          }
        },
        "roleNameGuid": {
          "type": "string",
          "defaultValue": "[newGuid()]",
          "metadata": {
            "description": "A new GUID used to identify the role assignment"
          }
        }
      },
      "variables": {
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
      },
      "resources": [
        {
          "type": "Microsoft.Authorization/roleAssignments",
          "apiVersion": "2018-09-01-preview",
          "name": "[parameters('roleNameGuid')]",
          "properties": {
            "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
            "principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('principalId')), '2018-11-30').principalId]"
          }
        }
      ]
    }

    And also here is link to an example where user assigned identity created in ARM and same has been applied to storage account.

    Hope this helps!
    Wednesday, August 21, 2019 6:55 AM
    Moderator

All replies

  • Thanks for reaching out. We are looking into the issue. We will update you soon.
    Monday, August 19, 2019 5:19 AM
    Moderator
  • Thanks @swathi

    Can you please provide an update?


    Arash@C3

    Monday, August 19, 2019 11:24 PM
  • Here are some suggestions that might help you in achieving your request

    Here is the template for providing read role to the user-assigned managed identity on the resource group. Pass the Object Id of user-assigned managed identity for principle id.

    {
      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "principalId": {
          "type": "string",
          "metadata": {
            "description": "The principal to assign the role to"
          }
        },
        "builtInRoleType": {
          "type": "string",
          "allowedValues": [
            "Owner",
            "Contributor",
            "Reader"
          ],
          "metadata": {
            "description": "Built-in role to assign"
          }
        },
        "roleNameGuid": {
          "type": "string",
          "defaultValue": "[newGuid()]",
          "metadata": {
            "description": "A new GUID used to identify the role assignment"
          }
        }
      },
      "variables": {
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
      },
      "resources": [
        {
          "type": "Microsoft.Authorization/roleAssignments",
          "apiVersion": "2018-09-01-preview",
          "name": "[parameters('roleNameGuid')]",
          "properties": {
            "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
            "principalId": "[parameters('principalId')]"
          }
        }
      ]
    }

    Here is the template to provide Storage account key operator service Role permission to the user-assigned managed identity on the newly created storage account.

    {
      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "principalId": {
          "type": "string",
          "metadata": {
            "description": "The principal to assign the role to"
          }
        },
        "builtInRoleType": {
          "type": "string",
          "allowedValues": [
            "Storage Account Key Operator Service Role"
          ],
          "metadata": {
            "description": "Built-in role to assign"
          }
        },
        "roleNameGuid": {
          "type": "string",
          "defaultValue": "[newGuid()]",
          "metadata": {
            "description": "A new GUID used to identify the role assignment"
          }
        },
        "storageAccountName": { 
            "type": "string" 
        }
      },
      "variables": {
        "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]"
      },
      "resources": [
        {
          "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
          "apiVersion": "2017-05-01",
          "name": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', guid(subscription().subscriptionId))]",
          "properties": {
            "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
            "principalId": "[parameters('principalId')]"
          }
        }
      ]
    }

    For writing user-assigned managed identity properties to VM using an extension and retrieving storage account keys into file you need create custom Powershell script. For executing the Powershell script on VM as as extension, you use Custom Script Extension for windows. Here are the links to the document that will help you in achieving this.

    Custom Script Extension for Windows

    Deploy virtual machine extensions with Azure Resource Manager templates


    Hope this helps!



    Tuesday, August 20, 2019 6:41 AM
    Moderator
  • Hi Swathi,

    Many thanks for the proposed solution.

    The problem is I have to pass the Object ID of the user-assigned managed identity which is generated by the same ARM template to the templates that you provided as a variable but looks like I cannot retrieve the principal ID or the Object ID of the user-assigned identity within the ARM template.

    I used:

    "parameters": {
                  "principalId": {
                    "type": "string",
                    "value": "[reference('Microsoft.ManagedIdentity/userAssignedIdentities/c3mi-01', '2018-11-03').principalId]",
                    "metadata": {
                      "description": "Principal ID to set the access for"
                    }

    But it doesn't work.


    Arash@C3

    Wednesday, August 21, 2019 1:04 AM
  • Here is the template where i have passed the name of the userAssignedIdentity to the template and retrieved the principleId.

    {
      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "principalId": {
            "type": "string",
            "metadata": {
                "description": "Principal ID to set the access for"
                }
        }, 
        "builtInRoleType": {
          "type": "string",
          "allowedValues": [
            "Owner",
            "Contributor",
            "Reader"
          ],
          "metadata": {
            "description": "Built-in role to assign"
          }
        },
        "roleNameGuid": {
          "type": "string",
          "defaultValue": "[newGuid()]",
          "metadata": {
            "description": "A new GUID used to identify the role assignment"
          }
        }
      },
      "variables": {
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
      },
      "resources": [
        {
          "type": "Microsoft.Authorization/roleAssignments",
          "apiVersion": "2018-09-01-preview",
          "name": "[parameters('roleNameGuid')]",
          "properties": {
            "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
            "principalId": "[reference(concat('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('principalId')), '2018-11-30').principalId]"
          }
        }
      ]
    }

    And also here is link to an example where user assigned identity created in ARM and same has been applied to storage account.

    Hope this helps!
    Wednesday, August 21, 2019 6:55 AM
    Moderator
  • Thank you very much,

    Works like a charm.


    Arash@C3

    Monday, August 26, 2019 12:51 AM