Authenticate system assigned identity to Event Grid API connection

0
votes

Can anyone help me find the client secret for a system assigned identity in an ARM template, or suggest an alternative approach?

I've got an ARM template which creates a Logic App with system assigned identity, and now I want to set up an API connection to trigger from Event Grid (without using the portal UI or a separate powershell command).

I can't figure out how to get the client secret for the system assigned identity. This would allow me to follow the answers in these previous questions:

Here's what I have so far:

"resources": [
        {
            "apiVersion": "2016-06-01",
            "type": "Microsoft.logic/workflows",
            "name": "[variables('logicName')]",
            "location": "[resourceGroup().location]",
            "identity": {
                "type": "SystemAssigned"
            },    
            "dependsOn": [
                "[variables('connections_azuretables_name')]"
            ],
            "properties": {
                "state": "Enabled",
                "definition": {
                   <<SNIP>>
                }
            }
        },
        {
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "[variables('azureEventGridConnectionAPIName')]",
            "location": "[resourceGroup().location]",
            "properties": {
                "api": {
                "id": "[concat('/subscriptions/subscriptionId', '/providers/Microsoft.Web/locations/', 'eastasia', '/managedApis/', 'azureeventgrid')]"

                },
                "parameterValues": {
                "token:clientId": "[reference(variables('logicName'), '2016-06-01', 'Full').identity.principalId]",
                "token:clientSecret": "########### STUCK HERE #################",
                "token:TenantId": "[reference(variables('logicName'), '2016-06-01', 'Full').identity.tenantId]",
                "token:grantType": "client_credentials"
                },
                "displayName": "[variables('azureEventGridConnectionAPIName')]"

            },
            "dependsOn": []
            }
    ],
2
azurearm-template

2 Answers

0
votes

A managed identity has no client secret. It only has certificates, which you cannot access.

The template would have to execute within the logic app to get the access token, which I doubt it can do.

0
votes

For anyone wondering, it is pretty straightforward to create a Service Principal manually and then feed it into the ARM template:

> az ad sp create-for-rbac --name MyPrincipal

{
  "appId": "##############",
  "displayName": "MyPrincipal",
  "name": "http://MyPrincipal",
  "password": "##############",
  "tenant": "##############"
}

Now pass the appId (as clientId) password (as clientSecret) and tenant (as tenantId) into the parameterValues block in Microsoft.Web/connections. This will set up an Event Grid API connection for your logic app, but with implications for access policies and overhead of identity management outside of the ARM template.

The actual solution I've used is to create a webhook event subscription on Event Grid and then set up my logic app to have a web hook trigger. This works just fine.

Here's a sample solution:

{
  "name": "[parameters('topicName')]",
  "type": "Microsoft.EventGrid/topics",
  "location": "[resourceGroup().location]",
  "apiVersion": "2018-01-01",
  "properties": { }
},
{
  "name": "[concat(parameters('topicName'), '/Microsoft.EventGrid/', variables('topicSubscriptionName'))]",
  "type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
  "location": "[resourceGroup().location]",
  "apiVersion": "2018-01-01",
  "properties": {
    "destination": {
      "endpointType": "WebHook",
      "properties": {
        "endpointUrl": "[listCallbackURL(resourceId('Microsoft.Logic/workflows/triggers', parameters('logicName'), 'WorkaroundWebhookTrigger'), '2016-06-01').value]"
      }
    },
    "filter": {
      "includedEventTypes": [
        "All"
      ]
    }
  },
  "dependsOn": [
    "[parameters('topicName')]",
    "[parameters('logicName')]"
  ]
},
{
  "apiVersion": "2016-06-01",
  "type": "Microsoft.logic/workflows",
  "name": "[parameters('logicName')]",
  "location": "[resourceGroup().location]",
  "identity": {
    "type": "SystemAssigned"
  },  
  "dependsOn": [],
  "properties": {
    "state": "Enabled",
    "definition": {
      "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "$connections": {
          "defaultValue": {},
          "type": "Object"
        }
      },
      "triggers": {

        "WorkaroundWebhookTrigger": {
          "type": "Request",
          "kind": "Http",
          "inputs": {
            "schema": {
              "properties": {
                "data": {
                  "properties": {
                    "lorem": {
                      "type": "integer"
                    },
                    "ipsum": {
                      "type": "string"
                    }
                  },
                  "type": "object"
                },
                "dataVersion": {
                  "type": "string"
                },
                "eventTime": {
                  "type": "string"
                },
                "eventType": {
                  "type": "string"
                },
                "id": {
                  "type": "string"
                },
                "metadataVersion": {
                  "type": "string"
                },
                "subject": {
                  "type": "string"
                },
                "topic": {
                  "type": "string"
                }
              },
              "type": "object"
            }
          }
        }
      },
<snip>