How to get the principal id of the current principal executing the azure bicep deployment? #9969

dazinator · 2023-03-01T11:09:19Z

dazinator
Mar 1, 2023

My bicep template makes use of deployment script resource

resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {

One of the properties you have to supply is an identity.

identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${userAssignedIdentityId}': {}
    }
  }

At the moment, in my bicep deployment itself I have to create this identity, so I can then assign it to the deployment script.

However I don't think this should be necessary. Given my bicep deployment is executing as an authenticated az identity, I am wondering how get access to the current principal executing the deployment so I can assign that identity and re-use it. Similar to how you can use subscription() to get hold of the current subscription info for example.

Is this possible?

jeskew · 2023-03-06T15:13:46Z

jeskew
Mar 6, 2023
Maintainer

There's no function to get the principal ID of the user executing the deployment (though it is planned).

For your specific use case, though, such a function wouldn't help. The identity property of a deployment script can only specify a user-assigned managed service identity, however, so even if you had the ID of the user executing the deployment, you wouldn't be able to use that in the identity property of the deploymentScripts resource. You could always omit the identity property and then log in within the script itself using Connect-AzAccount (for a powershell script) or az login (for a CLI script), passing login credentials to the script as secure environment variables. There's some more guidance on how/when to do this at https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template#configure-the-minimum-permissions

9 replies

dazinator Apr 17, 2023
Author

@brwilkinson
I have not used runCommands as part of any workaround as the deployment scripts I run are pre existence of any VM's. However I am happy that the question has been answered. I will mark as such, thank you.

brwilkinson Apr 17, 2023
Maintainer

Okay sure, thank you @dazinator

DeploymentScripts are a workaround/bandaid solution to solve the last mile problem or gaps in ARM native capabilities.

As we get more extension support in Bicep or as Resource Providers add native functionality, hopefully over time the need for using them diminishes. A deploymentScript should always be a last option, so if you can consider doing things another way where possible.

brwilkinson Apr 17, 2023
Maintainer

adding this link for interest as well:

Reference logged in account in bicep template #9092 (reply in thread)

LennDG Sep 6, 2023

Hi @brwilkinson,

Our use case is managing an App Registration with a Service Principal that is authenticated using a certificate. The certificate is available in a keyvault. We want to use az login in the deploymentScript but so far I have found no way of passing the certificate from the keyvault into the container.

Since this is a migration of existing Terraform IaC we are not opposed to rethinking our infrastructure somewhat. Would creating a Managed Identity with the same permissions be a way forward? I guess we will in every case still need to use deploymentScript to interact with Azure AD.

brwilkinson Sep 7, 2023
Maintainer

@LennDG you should switch out for a "User Assigned Managed Identity" Then you don't need a certificate or a secret.

dazinator · 2023-06-13T20:01:38Z

dazinator
Jun 13, 2023
Author

Just adding another case for where I wanted to do this.

When the bicep deployment runs, it creates a keyVault. The KeyVault uses access policies. I want it to create an access policy to give its own principal (object id) access to secrets.

3 replies

brwilkinson Jun 13, 2023
Maintainer

The only workaround is to use a deployment script at this time.

brwilkinson Jun 13, 2023
Maintainer

Also, given the service principal deploying needs some permission to deploy, to create the keyvault. You can move to RBAC model, which is recommended. Then assign access in the same process where the SP permissions were assigned. KV access can be assigned at any scope, including on RG.

dazinator Jan 31, 2025
Author

If I understand correctly this may not work for us because, our applications run in a docker container on an Azure VM, but due to the container, they don't have "managed identity" working. Therefore the applications access keyvault using KeyVault access policies not RBAC, so the keyvault needs to use access policies. I didnt think a single KeyVault could support both RBAC and Access Policies when I last checked - if it can then great but if it can't then it won't solve our issue because if we create one in RBAC mode, it won't support the applications that need to connect to it.

cataggar · 2024-03-13T23:48:59Z

cataggar
Mar 13, 2024

The workaround I just used was to get it from the Azure CLI and pass it in as a param. Here is a Nushell script:

let principalId = az rest --method GET --uri https://graph.microsoft.com/v1.0/me | from json | get id
az deployment group create -g mygroup -f my.bicep -p $"principalId=($principalId)"

0 replies

seesharprun · 2024-08-07T17:32:49Z

seesharprun
Aug 7, 2024

@jeskew, is there any update on when the "function to get the principal ID of the user executing the deployment" is planned?

My use case is that I write a lot of templates that deploy database or data services and I want my Bicep templates to have local keys disabled by default. In a perfect world, I could call a function in the Bicep template to get the metadata for the executing identity (human, managed, or etc.) and then assign the least permissive roles using RBAC.

Today, I have two workarounds:

Run an Azure CLI or Azure PowerShell script to get the current signed-in user and then pass that as a secure parameter to Bicep
Wrap the Bicep script in an Azure Developer CLI template. AZD passes in the current user as a parameter by default

These work for now, but this just adds complexity when all I really want is for someone to deploy a Bicep template as a one-liner and not need the prerequisite steps.

Thanks!

6 replies

Welasco Aug 15, 2024

I just had a use case where the ObjectID would be important as well.
The use case it's to create an Azure SQL and it requires SID (aka ObjectID) to set the default admin of a Server. It's a required value.

rdf6 Aug 20, 2024

+1 for including ObjectID. I need this for using Bicep to set permissions on storage accounts used by a Synapse workspace.

johndowns Aug 26, 2024

The object ID is also important for the scenario where you create an Entra group by using the new Graph extensibility, and then assign the current user to that group.

seesharprun Sep 5, 2024

@seesharprun we are planning on picking this up soon. An optimistic ETA would be the end of October - it requires implementing in the backend service, waiting for global rollout, and then implementing in Bicep.

To scope it down, we just plan to expose 2 properties - clientId and tenantId. Would that fit your goals?

Yes, that would work with Azure Developer CLI.

NanoBob Sep 30, 2024

I also encountered a use case for this, where we would need the object ID. Specifically for allowing the service principal that is running a deployment to be given permission to write to a blob storage container, for a later step in that same deployment.

levimatheri · 2025-01-02T22:39:54Z

levimatheri
Jan 2, 2025
Maintainer

You can now get the current deployment principal using the new deployer() function. Any feedback is welcome!

3 replies

traberc Jan 23, 2025

That'll work. I would also like to have the app/client id and display name. Some resources require object ids and some require client ids, so it would be nice to have both.

I want the display name to add to resource tags for the most recent deployer

levimatheri Jan 23, 2025
Maintainer

@traberc, Thank you for the feedback. As a follow-up, what is your particular use case for the app/client id? And regarding the display name, would the UPN be sufficient for your use case?

anthony-c-martin Jan 31, 2025
Maintainer

@dazinator have you seen this update? If it fits your needs, could you update the discussion to mark this as the answer? That way it'll be easier for other people to discover.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to get the principal id of the current principal executing the azure bicep deployment? #9969

{{title}}

Replies: 5 comments 21 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

How to get the principal id of the current principal executing the azure bicep deployment? #9969

Replies: 5 comments · 21 replies

jeskew Mar 6, 2023 Maintainer

dazinator Apr 17, 2023 Author

brwilkinson Apr 17, 2023 Maintainer

brwilkinson Apr 17, 2023 Maintainer

brwilkinson Sep 7, 2023 Maintainer

dazinator Jun 13, 2023 Author

brwilkinson Jun 13, 2023 Maintainer

brwilkinson Jun 13, 2023 Maintainer

dazinator Jan 31, 2025 Author

levimatheri Jan 2, 2025 Maintainer

levimatheri Jan 23, 2025 Maintainer

anthony-c-martin Jan 31, 2025 Maintainer

Replies: 5 comments 21 replies

jeskew
Mar 6, 2023
Maintainer

dazinator Apr 17, 2023
Author

brwilkinson Apr 17, 2023
Maintainer

brwilkinson Apr 17, 2023
Maintainer

brwilkinson Sep 7, 2023
Maintainer

dazinator
Jun 13, 2023
Author

brwilkinson Jun 13, 2023
Maintainer

brwilkinson Jun 13, 2023
Maintainer

dazinator Jan 31, 2025
Author

levimatheri
Jan 2, 2025
Maintainer

levimatheri Jan 23, 2025
Maintainer

anthony-c-martin Jan 31, 2025
Maintainer