Deployment Script ARM template in Azure

Question

I am using Deployment Script to run powershell with ARM. It needs user-manged identity with contributor role. I have followed steps in below link but it always gives same error.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template?tabs=PowerShell

Invalid value for the identities '/subscriptions/<subID>/resourcegroups/<rgname>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test_manged_identity'. The 'UserAssignedIdentities' property keys should only be empty json objects, null or the resource exisiting property.

I have extracted principalId and client Id with below command.

Get-AzUserAssignedIdentity -ResourceGroupName 'rGname' Below is the template

<pre>
     {
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "name": {
      "type": "string",
      "defaultValue": "'ds test'"
    },
    "utcValue": {
      "type": "string"
    },
    "subscriptionId": {
      "type": "string",
      "defaultValue": ""
    }
  },
  "resources": [
    {
      "type": "Microsoft.Resources/deploymentScripts",
      "apiVersion": "2019-10-01-preview",
      "identity": {
        "type": "userAssigned",
        "userAssignedIdentities": {
          "/subscriptions/subid/resourcegroups/rGname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test_manged_identity": {
            "ClientId": "value",
            "PrincipalId": "value"
          }
        }
      },
      "kind": "AzurePowerShell", // or "AzureCLI"
      "location": "[resourceGroup().location]",
      "name": "runPowerShellInlineWithOutput",
      "properties": {
        "containerSettings": {
          "containerGroupName": "deployscriptrun"
        },
        "storageAccountSettings": {
          "storageAccountName": "allscriptstorage",
          "storageAccountKey": "key"
        },
        "azPowerShellVersion": "3.0", // or "azCliVersion": "2.0.80"
        "environmentVariables": [
          {
            "name": "someSecret",
            "secureValue": "if this is really a secret, don't put it here... in plain text..."
          }
        ],
        "scriptContent" : "write-host 'hello world'",
        "supportingScriptUris": [],
        //"timeout": "PT30M",
        "cleanupPreference": "OnSuccess",
        "retentionInterval": "P1D"
      }
    }
  ],
  "outputs": {
  }
}

</pre>

With

"userAssignedIdentities": {
    "/subscriptions/subid/resourcegroups/rGname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test_manged_identity": {}
}

I get below error

{
                "code": "DeploymentScriptOperationFailed",
                "message": "The client 'id' with object id 'id' does not have authorization to perform action 'Microsoft.Resources/subscriptions/providers/read' over scope '/subscriptions/id' or the scope is invalid. If access was recently granted, please refresh your credentials."
            }

4c74356b41 4c74356b41 · Accepted Answer · 2020-05-10T03:24:12

according to the article linked it should look like this:

"userAssignedIdentities": {
    "/subscriptions/subid/resourcegroups/rGname/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test_manged_identity": {}
}

Deployment Script ARM template in Azure

1 Answers