The template function 'reference' is not expected at this location

Question

I'm trying to execute a script in my template using Microsoft.Resources/deploymentScripts, but also I'm trying to declare de user assigned identity in the same template

{
    "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
    "name": "scriptIdentity",
    "apiVersion": "2018-11-30",
    "location": "[resourceGroup().location]"
},
{
    "type": "Microsoft.Resources/deploymentScripts",
    "apiVersion": "2019-10-01-preview",
    "name": "updateAppServiceConfigMountPointScript",
    "dependsOn": [
        "[resourceId('Microsoft.Web/sites/config', parameters('appservice_name'), 'web')]",
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptIdentity')]",
        "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('storageAccounts_name'), 'default')]"
    ],
    "location": "[resourceGroup().location]",
    "kind": "AzurePowerShell",
    "identity": {
        "type": "userAssigned",
        "userAssignedIdentities": {
            "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptIdentity'), '2019-08-01', 'full').identity.principalId]",
            "clientId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptIdentity'), '2019-08-01', 'full').identity.clientId]"
        }
    },
    "properties": {
        "environmentVariables": [
            {
                "name": "account_name",
                "value": "[parameters('storageAccounts_name')]"
            },
            {
                "name": "app_name",
                "value": "[parameters('appservice_name')]"
            },
            {
                "name": "resource_group_name",
                "value": "[resourceGroup().name]"
            }
            
        ],
        "scriptContent": "$access_key = ((az storage account keys list --account-name $account_name) | ConvertFrom-JSON).value[0]; az webapp config storage-account add --name \\"$app_name\\" --resource-group \\"$resource_group_name\\" --custom-id \\"frontend\\" --storage-type \\"AzureBlob\\" --account-name \\"stelckstorageaccount\\" --share-name \\"frontend\\" --mount-path \\"/home/site/wwwroot/frontend\\" --access-key \\"$access_key\\"",
        "timeout": "PT1M",
        "cleanupPreference": "OnSuccess"
    }

The template fails in this part:

"userAssignedIdentities": {
    "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptIdentity'), '2019-08-01', 'full').identity.principalId]",
    "clientId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptIdentity'), '2019-08-01', 'full').identity.clientId]"
}

With the following error:

Deployment template validation failed: 'The template resource 'updateAppServiceConfigMountPointScript' at line '930' and column '9' is not valid: The template function 'reference' is not expected at this location. Please see https://aka.ms/arm-template-expressions for usage details.. Please see https://aka.ms/arm-template-expressions for usage details.'. (Code: InvalidTemplate)

How can I reference the assigned identity in the deploymentscript without the reference function?

RELATED: 'Microsoft.Web/sites/config' azureStorageAccounts fails due to 500 InternalError

bmoore-msft · Accepted Answer

Use the resourceId of the identity, e.g.

"userAssignedIdentities": {
          "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptIdentity')]": {}
}

See https://github.com/Azure/azure-quickstart-templates/blob/master/201-deployment-script-ssh-key-gen/azuredeploy.json for a full sample.

The template function 'reference' is not expected at this location

Answers (2)

Related Questions

The template function &#39;reference&#39; is not expected at this location

Answers (2)

Related Questions

The template function 'reference' is not expected at this location