bicep icon indicating copy to clipboard operation
bicep copied to clipboard
verified publisher icon Azure

Reference the deploying users PrincipalId / Account Information

Open Gordonby opened this issue 3 years ago • 0 comments

I am deploying a new KeyVault and want to be able to create a key in the keyvault all in the same deployment. If i try to do this with just owner permission then i receive this error

[ForbiddenByRbac (Forbidden)] Caller is not authorized to perform action on resource.

My existing RBAC on the Resource Group is owner. If i grant myself Key Vault Crypto Officer on the resource group before deployment then it works great (however this isn't my use case).

In order to create the key in the same deployment as the vault, i need to assign myself as RBAC CryptoOfficer during the deployment. eg;

  1. Create KeyVault
  2. Assign myself Crypto Officer
  3. Wait for propagation
  4. Create key in vault

In order to do step 2, i need to pass in my user PrincipalId as a parameter to the bicep. It would be much cleaner if i could reference this within bicep itself, eg;

param kvPrincipalId string = deployment().initiator.PrincipalId

I would also need to be able to distinguish between users and service principals;

param kvPrincipalType string = deployment().initiator.type

Gordonby avatar Aug 08 '22 13:08 Gordonby