Reputation: 65
User-Assigned-Managed-Identity (UAMI) use with multiple ADF implementations across subscriptions and ARM template parameterization
I wonder if anyone has any experience on how to handle the User-Assigned-Managed-Identity (UAMI) use with the CICD pipelines in Azure DevOps when the UAMI are not the same across environments?
Consider this, if one has Dev, Test and Prod subscriptions then each ADF implementation can have its own Azure subscription and possibly different UAMI configured.
The ARM template generation/publication from the Dev ADF will generate/publish the ARM template but it will not parameterized the “credentials” part where UAMI are defined as far as I can tell in my environment since it appears to do only for the ‘linked services’.
So how do we build the CICD pipeline for ADF if using ADF published ARM templates from dev ADF as artifacts?
This is the snippet of the ARM template published by ADF;
"name": "[concat(parameters('factoryName'), '/cred_uami')]",
"type": "Microsoft.DataFactory/factories/credentials",
"apiVersion": "2018-06-01",
"properties": {
"type": "ManagedIdentity",
"typeProperties": {
"resourceId": "/subscriptions/<XXXXX-SUBID-XXXXX>/resourceGroups/<XXXX-RG-XXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXX-uami"
}
},
"dependsOn": []
}
]
}
Any tips are appreciated.
Upvotes: 0
Views: 1384
Answers (2)
Reputation: 11
I came across the same situation today and can confirm csaif7's solution still works. In my case, I have to replace the entire default "Microsoft.DataFactory/factories/credentials" JSON block by the one provided above.
Step 1 - Turn on the "Include global parameters in ARM template" option Include global parameters in ARM template
Step 2 - Update the global parameter JSON file
From
"Microsoft.DataFactory/factories/credentials" : {
"properties": {
"typeProperties": {
"token": "="
}
}
}
to
"Microsoft.DataFactory/factories/credentials" : {
"properties": {
"typeProperties": {
"resourceId": "="
}
}
}
Step 3 - Publish your ADF changes from adf_collaboration branch
Then, you need to go to your ADF studio and publish your changes then you can validate the parameterization by export the ARM template.
It took me a while to figure this out.
Upvotes: 1
Reputation: 65
In case someone else need this in future, the solution for me is to over write the default parameter file, the details for this are available at;
I used the ADF default parameter file and added the following code to it and then provdied the value as part of the CICD pipeline for each environment.
"Microsoft.DataFactory/factories/credentials" : {
"properties": {
"typeProperties": {
"resourceId": "="
}
}
}
Upvotes: 1
Related Questions
- how can I create user assigned identity and system assign identity with arm template on a app service
- Use managed identities in Azure DevOps build pipeline
- Parameterize Self hosted integration runtime in ADF ARM Template
- How to reference both System managed identity and user managed identity in ARM templates?
- Azure ARM Template, assign multiple roles to managed identity in Automation Account
- Referencing a Managed Service Identity in ARM-template deploy
- Adding cloninginfo property to arm template deployment slot resource breaks setting user defined managed identity on deployment slot
- How to deploy ARM template with user managed identity and assign a subscription level role?
- Using Azure AD MFA with MIM and on-premise apps
- Azure ARM template - derive Automation Account registration Url and Key at runtime