Reputation: 459
How to reference both System managed identity and user managed identity in ARM templates?
I wanted to know how to assign both system managed identity as well as user managed identity on a single VM in ARM template?
For example, I have ARM template with user managed identity like below:
"identity":{
"type":"UserAssigned",
"userAssignedIdentities":{
"[resourceId(variables('userAssignedIdentitySubscription'),variables('userAssignedIdentityResourceGroup'),'Microsoft.ManagedIdentity/userAssignedIdentities', variables('userAssignedIdentityName'))]":{
}
}
},
if I want to use System managed identity, should I add another dict in identity with type as system managed identity? Like:
"identity":{
"type":"UserAssigned",
"userAssignedIdentities":{
"[resourceId(variables('userAssignedIdentitySubscription'),variables('userAssignedIdentityResourceGroup'),'Microsoft.ManagedIdentity/userAssignedIdentities', variables('userAssignedIdentityName'))]":{
}
}
},
{
"type":"SystemAssigned"
}
OR there is another way to do it?
Upvotes: 0
Views: 2006
Answers (2)
Reputation: 521
Was looking to implement user-managed instance in bicep,
If you have previously created a user-managed instance resource. E.g.
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: managedIdentityName
location: location
}
identity: {
type: 'SystemAssigned, UserAssigned'
userAssignedIdentities: {
'${managedIdentity.Id}': {}
}
}
If you need to don't have that, you just need to fulfill this line
userAssignedIdenties: {
'/subscriptions/<subscription-id>/resourceGroups/<resource-group-id>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<userMI-name>':{}
}
Also, use the provided functions to generate if it gets hard to maintain:
var resourceId = '${resourceGroup().id}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>' )
<managed-identity-name> could be a parameter, variable or a hard-coded string
resourceGroup().id gives you /subscriptions/<subscription-id>/resourceGroups/<resource-group-id>/
Upvotes: 1
Reputation: 459
I found the answer, to use both System managed identity and User managed identity, below is the simple way:
"identity":{
"type":"SystemAssigned, UserAssigned",
"userAssignedIdentities":{
"[resourceId(variables('userAssignedIdentitySubscription'),variables('userAssignedIdentityResourceGroup'),'Microsoft.ManagedIdentity/userAssignedIdentities', variables('userAssignedIdentityName'))]":{
}
}
},
Easy TIP to find ARM template related answers: I found the answer by manually creating a VM with both type of identities, and exported ARM template from Azure portal and found the answer :)
Upvotes: 3
Related Questions
- How to create GUID for multiple resources in Azure ARM template?
- how can I create user assigned identity and system assign identity with arm template on a app service
- ARM Template: Looking up a user object Id
- Can't reference principalId of user assigned identity for key vault in same arm template
- Referencing a Managed Service Identity in ARM-template deploy
- How to get client id of user assigned identity in an ARM template?
- Azure ARM template ResourceNotFound error when referencing managed identity in key vault access policy
- Sometimes ARM template will throw PrincipalNotFound Error when Working with User-assigned Managed Identity
- Azure ARM Template Different Resource Groups
- Reference an existing Azure Automation Account in a different Resource Group