brwilkinson
commented
3 years ago A few things:
1) You can now use a Managed Identity to run you automation runbooks (this is in preview)
- User Assigned Managed Identity
- https://docs.microsoft.com/en-us/azure/automation/add-user-assigned-identity#add-using-an-arm-template
- System Assigned Managed identity
- https://docs.microsoft.com/en-us/azure/automation/enable-managed-identity-for-automation#enable-using-an-arm-template
By using that method this puts you in control of what RBAC permission you assign for the identity and the Identity is a first class Azure Resource Manager Resource, so you can create it, plus assign role assignments with Bicep/ARM.2) Secondary to those, there is a plan in place to enable Bicep Extensibility, which includes Azure AD integration. It will likely open up the capability to create runas account at that time.
I would recommend to leverage the 'User Assigned Managed Identity' for the best first choice here, which is available now.If you did manually create the runas account, then you can use a normal role assignment using the objectid of the SP. This should be under the managed application in Azure ad, listed as the Object ID.
e.g.
Get-AzADServicePrincipal -DisplayName $ServicePrincipalName -OutVariable sp
$SP.Id #<--- this is what you use to assign the role assignment in Bicep, to which ever matching role id and scope that you need.
jobinjosem
Is it possible to create an automation account runas account using bicep? I heard that in ARM this was not possible and wanted to check if this behavior has changed now.
Even though I did this from the portal, I did not find a way to assign the AUA service principal access on a Keyvault. How can I refer to the runas service account using bicep?