User Assigned Managed identity for Azure App Services with Bicep

 We have discussed how we can setup system assigned identity and use it to assign roles in Azure app Config service in the post "Role Assignment with Azure Bicep". IF we are using managed identity as system assigned each of the web app, function app will have different identity and granting permissions in a service such as Azure App Config service would need to add multiple role assignement, assigning each app system assigned managed identity with the required role to read configs. However, if you use a single user assigned identity to all the app service apps, you can use single role assignment in the required service. Let's explore how to create and assign user assigned ident step by step in Azure Bicep infrastructure as code.

User assigned identity can be defined as below in Bicep. We have to pass a name for the user assigned identity. We are using user assigned identity Id to assign it to an app service app. However, note that we are having service principal Id of the user assigned identity added as output variable, which is required to use for role assignement. 

param userAssignedMangedIdentityName string
param location string
resource UserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
  name: userAssignedMangedIdentityName
  location: location
 }

 output managedIdentityId string = UserAssignedIdentity.id
 output managedIdentityServicePrincipalId string = UserAssignedIdentity.properties.principalId

The Id of user assigned identity should be used in web app module to assign it to the web app. Note below we have used the UserAssignedIdentity parameter and assigned it to a web app. Unlike in the post where we used system assigned managed identity, we are not using output variable service principal Id of app service app here as there is no such value since we use user assigned identity.

param webappName string

param planId string

param linuxFxVersion string

param location string

param UserAssignedIdentity string

resource webapplinux 'Microsoft.Web/sites@2018-11-01' = {

  name: webappName

  location: location

  

  identity:{

    type:'UserAssigned'

    userAssignedIdentities: {

      '${UserAssignedIdentity}':{}

    }

  }

  properties: {

    serverFarmId: planId

    siteConfig:{

      linuxFxVersion:linuxFxVersion

    }

  }

}

We need app service plan module as well.

param planName string

param planSKUName string

param planSKUCapacity int

param planKind string

param location string

resource plan 'Microsoft.Web/serverfarms@2020-12-01' = {

  name: planName

  location: location

  sku: {

    name: planSKUName

    capacity: planSKUCapacity

    

  }

  kind:planKind

  properties: {

    reserved: true

  }

}

output planId string = plan.id

Then in the main Bicep we can use modules defined above and create a app service app which is using user assigned identity.

targetScope='subscription'

param rgName string = 'rg-chbicepdemo-001'

param rgLocation string = 'eastus'

param planName string = 'plan-bicepdemo-001'

param planSKUName string = 'B3'

param planSKUCapacity int = 1

param planKind string = 'linux'

param webappName string = 'app-bicepdemo-001'

param linuxFxVersion string = 'node|14-lts'

param userAssignedMangedIdentityName string = 'mysampleuserassignedid'

resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {

  name: rgName

  location: rgLocation

  tags:{

    'tag': 'bicepdemo'   

  }

}

module webappplan 'pricingplan.bicep' = {

  name: 'plan'

  scope:rg

  params:{

    location:rgLocation

    planKind:planKind

    planName:planName

    planSKUCapacity:planSKUCapacity

    planSKUName:planSKUName

  }

}

module webapp 'webapplinux.bicep' = {

  name: 'webapp'

  scope:rg

  params:{

    location:rgLocation

    linuxFxVersion:linuxFxVersion

    planId:webappplan.outputs.planId

    webappName:webappName

    UserAssignedIdentity:userAssignedManagedIdenity.outputs.managedIdentityId

  }

  dependsOn:[

    userAssignedManagedIdenity

  ]

}

module userAssignedManagedIdenity 'userassignedidentity.bicep' = {

  name: userAssignedMangedIdentityName

  scope:rg

  params:{

    location:rgLocation

    userAssignedMangedIdentityName:userAssignedMangedIdentityName

  }

}

We can execute the Bicpe using a pipeline as described here or using a command such as below in PowerShell using Azure CLI.

az deployment sub create --name 'userassignedidsample' --location eastus --template-file main.bicep --parameters rgLocation='eastus'

Once the deployment completes you can see the app service is assigned with user assigned identity.