Azure Web App + Storage Account with Managed Identity using Bicep

Today I needed to automate a standard scenario in Azure: connecting a Web App Service (in my case ASP.NET Core) to Azure BLOB and Table Storage. The auth is being done through Managed Identites, so the Web App’s identity needs to be granted read/write access to the Storage Account using RBAC. And this should all be automated in Bicep.

The noteworthy part here is that you’ll first need to find the ID for the in-built role you want to assign to the Web App. These ids can be found here. To access both table and blob content you’ll need to add both the Storage Table Data Contributor and Storage Blob Data Contributor roles.

param location string
param appServicePlanName string
param appServicePlanSku string
param webAppName string
param storageAccountName string
resource appServicePlan 'Microsoft.Web/serverfarms@2020-06-01' = {
name: appServicePlanName
location: location
kind: 'linux'
properties: {
reserved: true
}
sku: {
name: appServicePlanSku
}
}
resource webApp 'Microsoft.Web/sites@2022-09-01' = {
name: webAppName
location: location
properties: {
serverFarmId: appServicePlan.id
siteConfig: {
linuxFxVersion: 'DOTNETCORE|6.0'
alwaysOn: true
}
httpsOnly: true
clientAffinityEnabled: false
}
identity: {
type: 'SystemAssigned'
}
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
properties: {
accessTier: 'Hot'
allowBlobPublicAccess: true
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
}
}
resource storageTableDataContributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
scope: subscription()
name: '17d1049b-9a84-46fb-8f53-869881c3d3ab'
}
resource tableRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(resourceGroup().id, webApp.id, storageTableDataContributorRoleDefinition.id)
scope: storageAccount
properties: {
roleDefinitionId: storageTableDataContributorRoleDefinition.id
principalId: webApp.identity.principalId
}
}
resource storageBlobDataContributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
scope: subscription()
name: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
}
resource blobRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(resourceGroup().id, webApp.id, storageBlobDataContributorRoleDefinition.id)
scope: storageAccount
properties: {
roleDefinitionId: storageBlobDataContributorRoleDefinition.id
principalId: webApp.identity.principalId
}
}
view raw infra.bicep hosted with ❤ by GitHub
Azure Web App + Storage Account with Managed Identity using Bicep

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.