We have discussed the setting up of user assigned identity and using it in app services in the post "User Assigned Managed identity for Azure App Services with Bicep". We can use such user assigned identity service principal Id and assign it in role based access management in other resources such as app config service to enable app service to read application configurations from the app config service.
In addition to the Bicep modules used in the post "User Assigned Managed identity for Azure App Services with Bicep" we can use below module in Bicep to create app config service instance and assign with a user assigned role id. Note that we are taking user assigned identity service principal as input here to assign it to the role assignment. Since we are trying to allow app config service role 'App Configuration Data Reader' we use the Guild of the role. You can find the ids of built in Azure roles from here.
param appconfigName string
param appconfigSKUName string
param userAssignedManagedIdentityPrincipalId string
param location string
param subscriptionId string = subscription().subscriptionId
resource appconfig 'Microsoft.AppConfiguration/configurationStores@2021-03-01-preview' = {
name: appconfigName
location: location
sku: {
name: appconfigSKUName
}
properties: {
disableLocalAuth: false
encryption: {}
}
}
resource appConfigRoleWebApp 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
name: guid('SecretsUser', appconfigName)
scope: appconfig
properties: {
principalId: userAssignedManagedIdentityPrincipalId
principalType: 'ServicePrincipal'
roleDefinitionId: '/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071'
}
}
The user assigned identity module is as below which is providing service principal as output.
param userAssignedMangedIdentityName string
param location string
resource UserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: userAssignedMangedIdentityName
location: location
}
output managedIdentityId string = UserAssignedIdentity.id
output managedIdentityServicePrincipalId string = UserAssignedIdentity.properties.principalId
Main Bicep explained in "User Assigned Managed identity for Azure App Services with Bicep" is now added with app config service with user assigned role addition as below.
targetScope='subscription'
param rgName string = 'rg-chbicepdemo-001'
param rgLocation string = 'eastus'
param planName string = 'plan-bicepdemo-001'
param planSKUName string = 'B3'
param planSKUCapacity int = 1
param planKind string = 'linux'
param webappName string = 'app-bicepdemo-001'
param linuxFxVersion string = 'node|14-lts'
param appconfigName string = 'appcs-bicepdemo-001'
param appconfigSKUName string = 'Standard'
param userAssignedMangedIdentityName string = 'mysampleuserassignedid'
resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: rgName
location: rgLocation
tags:{
'tag': 'bicepdemo'
}
}
module webappplan 'pricingplan.bicep' = {
name: 'plan'
scope:rg
params:{
location:rgLocation
planKind:planKind
planName:planName
planSKUCapacity:planSKUCapacity
planSKUName:planSKUName
}
}
module webapp 'webapplinux.bicep' = {
name: 'webapp'
scope:rg
params:{
location:rgLocation
linuxFxVersion:linuxFxVersion
planId:webappplan.outputs.planId
webappName:webappName
UserAssignedIdentity:userAssignedManagedIdenity.outputs.managedIdentityId
}
dependsOn:[
userAssignedManagedIdenity
]
}
module userAssignedManagedIdenity 'userassignedidentity.bicep' = {
name: userAssignedMangedIdentityName
scope:rg
params:{
location:rgLocation
userAssignedMangedIdentityName:userAssignedMangedIdentityName
}
}
module appconfig 'appconfig.bicep' = {
name: 'appconfig'
scope:rg
params:{
appconfigName:appconfigName
appconfigSKUName:appconfigSKUName
location: rgLocation
userAssignedManagedIdentityPrincipalId: userAssignedManagedIdenity.outputs.managedIdentityServicePrincipalId
}
dependsOn:[
webapp
]
}
You can notice above that we supply the service principal Id of the user assigned identity to app config service. Even if we have multiple app service apps we can use same user assigned identity with all those apps and use one role assignement in app config service to allow access to application configuration reading. Once deployed the role assignment will be created as shown below in the app config service with the user assigned managed identity.
