0

I want to create a roleAssignment in bicep using the principal ID of the used service connection in the ADO pipeline.
Since there is no self-method in bicep as in terraform, I try to get the service principal ID of the used ARM service connection. The only solution I found is the following task for the ADO pipeline:

- task: AzureCLI@2
  displayName: Retrieve principal ID of service connection
  continueOnError: false
  inputs:
    azureSubscription: $(armServiceConnectionName)
    scriptType: bash
    scriptLocation: inlineScript
    addSpnToEnvironment: true
    inlineScript: echo "##vso[task.setvariable variable=servicePrincipalId]$servicePrincipalId"

This returns the App ID of the service connection's service principal.

Is it possible to get the principal ID from this app ID?

I tried the following in bicep as documented here:

armPrincipalId = split(extensionResourceId(armConnectionPrincipalAppId, 'Microsoft.ManagedIdentity/userAssignedIdentities', armServiceConnectionName), '/')[8]

But this results in the following error:
DeploymentOutputEvaluationFailed: The template output 'armPrincipalId' is not valid: Unable to evaluate template language function 'extensionResourceId': the provided parent resource id '***' is not a valid uri

This obviously does not work because it needs an uri-shaped ID which the bicep resources would generate. But I only have a UID.

giklo
  • 132
  • 1
  • 10

1 Answers1

1

I found a solution by extending the inlineScript of the ADO pipeline task:

- task: AzureCLI@2
  displayName: Retrieve principal ID of service connection
  continueOnError: false
  inputs:
    azureSubscription: $(armServiceConnectionName)
    scriptType: bash
    scriptLocation: inlineScript
    addSpnToEnvironment: true
    inlineScript: echo "##vso[task.setvariable variable=armConnectionPrincipalId]$(az ad sp show --id $servicePrincipalId --query id --out tsv)"

I now search for the principal ID using az ad sp show:
az ad sp show --id $servicePrincipalId --query id --out tsv

This is still a hacky solution. If there is any possibility to use the current user principal within bicep (without any additional ADO task), feel free to post another solution here.

giklo
  • 132
  • 1
  • 10
  • Thanks for your sharing. After testing and referencing I found that your method is a good solution. I suppose that you could highlight your answer with this wiki [accepting an answer](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work/5235#5235) to benefit more developers. – Ceeno Qi-MSFT Dec 06 '22 at 05:18