获取二头肌模板中系统分配身份的applicationId/clientId

一个丑陋的解决方案，但它有效。为了简单起见，我用logicapp来代替你的site，本质上没有区别。

1. 创建一个

   user-assigned managed identity

   ，用于授予对部署脚本的访问权限。

2. 将

   Global Reader

   角色分配给

   user-assigned managed identity

3. 使用

   Get-AzADServicePrincipal -ObjectId $objectId

   从

   applicationId

   得到

   objectId

   ，然后输出。

param location string = resourceGroup().location
param logicappName string = 'xxlogicapptest'
param deploymentScriptUserIdentityName string = 'xx-user-assigned-managedIdentity'

resource logicapp 'Microsoft.Logic/workflows@2019-05-01' existing = {
  name: logicappName
}

@description('The user identity for the deployment script.')
resource scriptIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = {
  name: deploymentScriptUserIdentityName
}

resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
  name: 'inlinePS'
  location: location
  kind: 'AzurePowerShell'
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${scriptIdentity.id}':{}
    }
  }
  properties: {
    azPowerShellVersion: '10.0'
    arguments: '-objectId ${logicapp.identity.principalId}'
    scriptContent: '''
      param([string] $objectId)
      Write-Output "The argument is {0}." -f $objectId
      $output = "Hello {0}." -f $objectId
      $sp = Get-AzADServicePrincipal -ObjectId $objectId
      $appId = $sp.AppId

      $DeploymentScriptOutputs = @{}
      $DeploymentScriptOutputs['text'] = $appId
    '''
    cleanupPreference: 'OnExpiration'
    retentionInterval: 'PT1H'
  }
}

output objectId string = logicapp.identity.principalId
output appId string = deploymentScript.properties.outputs.text

部署脚本

我也尝试过Microsoft.Graph servicePrincipals，但是没有成功，因为

service principal bicep - existing