Search code examples
azureazure-resource-managerazure-api-managementazure-bicepazure-appservice

Accessing the App (client) ID from an Azure App Service in bicep

In bicep, I am configuring an Azure API Management policy that enables the managed service identity for a specific backend App Service.

This is typically done by setting an XML fragment like this:

<policies>
    <inbound>
        <authentication-managed-identity resource="4d192d04-XXXX-461f-a6ab-XXXXXXXXXXXX" />
        <base />
    </inbound>
</policies>

What I am now looking for, is how to retrieve that specific resource id from the existing App Service, in my bicep template.

Some fragments from my existing bicep template below:

// The App Service declaration
@description('API Website')
resource backendapi 'Microsoft.Web/sites@2021-03-01' = {
  name: 'backend-${environment}'
  kind: 'app,linux,container'
  location: location
  // left out properties, etc for brevity

// This is where I want to retrieve the client ID from that web app, but this fails:
var managed_identity_id = backendapi.identity.principalId

When deploying the above template, I get the following exception (although the identity.principalId was indicated to be valid by the Visual Studio Code intellisense.

The language expression property 'identity' doesn't exist, available properties are 'apiVersion, location, tags, kind, properties, condition, deploymentResourceLineInfo, existing, isConditionTrue, subscriptionId, resourceGroupName, scope, resourceId, referenceApiVersion, isTemplateResource, isAction, provisioningOperation'

So my question is, how can I access the property from an App Service, in a bicep file. The property of which the value is shown in the following screenshot:

Screenshot

Solution

  • As explained in the comment section, you are looking for the web app auth settings: Microsoft.Web sites/config 'authsettingsV2' 2020-12-01

    You could retrieve the clientId for AzureAD Auth Like that:

    param webAppName string

resource webApp 'Microsoft.Web/sites@2022-09-01' existing = {
  name: webAppName
}

resource authsettings 'Microsoft.Web/sites/config@2022-09-01' existing = {
  name: 'authsettingsV2'
  parent: webApp
}

var clientId = authsettings.properties.identityProviders.azureActiveDirectory.registration.clientId