Saturday 4 September 2021

Role Assignement using User Assigned Identity in Bicep

 We have discussed the setting up of user assigned identity and using it in app services in the post "User Assigned Managed identity for Azure App Services with Bicep". We can use such user assigned identity service principal Id and assign it in role based access management in other resources such as app config service to enable app service to read application configurations from the app config service.

In addition to the Bicep modules used in the post "User Assigned Managed identity for Azure App Services with Bicep" we can use below module in Bicep to create app config service instance and assign with a user assigned role id. Note that we are taking user assigned identity service principal as input here to assign it to the role assignment. Since we are trying to allow app config service role  'App Configuration Data Reader' we use the Guild of the role. You can find the ids of built in Azure roles from here.

param appconfigName string
param appconfigSKUName string
param userAssignedManagedIdentityPrincipalId string
param location string
param subscriptionId string = subscription().subscriptionId

resource appconfig 'Microsoft.AppConfiguration/configurationStores@2021-03-01-preview' = {
  name: appconfigName
  location: location
  sku: {
    name: appconfigSKUName
  }
  
  properties: {
    disableLocalAuth: false
    encryption: {}
  }
}

resource appConfigRoleWebApp 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid('SecretsUser', appconfigName)
  scope: appconfig
  properties: {
    principalId: userAssignedManagedIdentityPrincipalId
    principalType: 'ServicePrincipal'
    roleDefinitionId: '/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071'
  }
}

The user assigned identity module is as below which is providing service principal as output. 

param userAssignedMangedIdentityName string
param location string
resource UserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
  name: userAssignedMangedIdentityName
  location: location
 }

 output managedIdentityId string = UserAssignedIdentity.id
 output managedIdentityServicePrincipalId string = UserAssignedIdentity.properties.principalId

Main Bicep explained in "User Assigned Managed identity for Azure App Services with Bicep"  is now added with app config service with user assigned role addition as below.

targetScope='subscription'
param rgName string = 'rg-chbicepdemo-001'
param rgLocation string = 'eastus'

param planName string = 'plan-bicepdemo-001'
param planSKUName string = 'B3'
param planSKUCapacity int = 1
param planKind string = 'linux'

param webappName string = 'app-bicepdemo-001'
param linuxFxVersion string = 'node|14-lts'

param appconfigName string = 'appcs-bicepdemo-001'
param appconfigSKUName string = 'Standard'

param userAssignedMangedIdentityName string = 'mysampleuserassignedid'

resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  name: rgName
  location: rgLocation
  tags:{
    'tag': 'bicepdemo'   
  }
}

module webappplan 'pricingplan.bicep' = {
  name: 'plan'
  scope:rg
  params:{
    location:rgLocation
    planKind:planKind
    planName:planName
    planSKUCapacity:planSKUCapacity
    planSKUName:planSKUName
  }
}

module webapp 'webapplinux.bicep' = {
  name: 'webapp'
  scope:rg
  params:{
    location:rgLocation
    linuxFxVersion:linuxFxVersion
    planId:webappplan.outputs.planId
    webappName:webappName
    UserAssignedIdentity:userAssignedManagedIdenity.outputs.managedIdentityId
  }

  dependsOn:[
    userAssignedManagedIdenity
  ]
}

module userAssignedManagedIdenity 'userassignedidentity.bicep' = {
  name: userAssignedMangedIdentityName
  scope:rg
  params:{
    location:rgLocation
    userAssignedMangedIdentityName:userAssignedMangedIdentityName
  }
}

module appconfig 'appconfig.bicep' = {
  name: 'appconfig'
  scope:rg
  params:{
    appconfigName:appconfigName
    appconfigSKUName:appconfigSKUName
    location: rgLocation
    userAssignedManagedIdentityPrincipalId: userAssignedManagedIdenity.outputs.managedIdentityServicePrincipalId
  }

  dependsOn:[
    webapp
  ]
}

You can notice above that we supply the service principal Id of the user assigned identity to app config service. Even if we have multiple app service apps we can use same user assigned identity with all those apps and use one role assignement in app config service to allow access to application configuration reading. Once deployed the role assignment will be created as shown below in the app config service with the user assigned managed identity.


No comments:

Popular Posts