Retrieve client id for pipeline service principal in Azure Pipeline

Question

In my Azure Pipeline (YAML), I am deploying an ARM template to create a key vault (among other resources), then running a PowerShell script to generate a certificate and store it in the key vault. This gives me a Forbidden error. In Use secrets from Azure Key Vault in Azure Pipelines, Microsoft suggests that I need to create an access policy on the key vault for the pipeline service principal. When I do this, the script succeeds.

Image from cache404

I would now like to create this access policy programmatically as part of the ARM template, but I don't know how to retrieve the object id for the pipeline service principal programmatically within the pipeline. Could someone please help?

Answer 1

Whilst Hugh Lin's answer is valid, I found it simpler to adapt Nick Graham's answer for granting key vault access to the pipeline service principal as part of the PowerShell script itself:

$Context = Get-AzContext
Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ServicePrincipalName $Context.Account.Id -PermissionsToCertificates Get,List,Create

Answer 2

I would now like to create this access policy programmatically as part of the ARM template, but I don't know how to retrieve the object id for the pipeline service principal programmatically within the pipeline.

If you want to automatically obtain the service principal object ID in the ARM template, I am afraid this is impossible.

You can try to create a script(Get-AzADServicePrincipal) to get the service principal and pass it to the arm template.

Here is the ticket with similar issue you can refer to.