Azure Deployment Slots - adding permissions to the slot

Question

We have an Azure database sync group that from time to time needs to be kicked off by the application - as in, a user has done something that requires data to be synced from one database to another (most often adding a new user).

We have given the web applications (using Managed Service Identity) permissions to start this sync, by adding the machine's identity GUID to the proper SQL Server role - and this works.

We created deployment slots on our Staging and Prod servers afterwards - and while the root sites still work, the app when running in a deployment slot throws an exception saying that it does not have permissions to start the sync.

I cannot find any documentation to get the Object ID (an actual GUID) of the deployment slot, aka Bar - to add to this statement:

az role assignment create --role "SQL Server Contributor" --assignee-object-id "Bar" --resource-group Foo

EDIT: I haven't manually set identity on the slot, nor the root app - I just turned on MSI and was attempting to discover the identity. Honestly, were it to be able to be the same as the root app, that'd be fine.

I am acutely aware that SQL Server Contributor is a huge permission to give to a web server, but it seemed to be the least privilege I could give to the server that actually had permission to start a database sync.

Answer 1

You have to enabled managed identity on the slot. It creates a separate identity in AAD.

You can find it from under Enterprise applications in Azure Active Directory. Just make sure to set the filter to All applications.