How to deploy user assigned managed identity?

Question

I have a linked service (which is connected to Dataverse) in Azure Data Factory which is being authenticated by user-assigned managed identity. I have created three UAMI for three different environments - Dev, UAT and PROD. The name of the UAMI are - uamiDemoDev, uamiDemoUat and uamiDemoProd (all three are on different resource groups). On publishing, an ARM template is generated in which the names of all the UAMI is used as string instead of any parameters. Due to this, on deploying to UAT, I get an error stating that uamiDemoDev is not found on the UAT resource group.

I tried to change the names into parameters (directly in the ARM template). On overriding the name parameter in the deployment yml, it worked perfectly fine and I was able to deploy it. However, on publishing, the parameters are reset in the ARM template.

I also tried to generate the custom parameters by editing the parameter configuration of the ARM template but somehow was unable to convert the name string(uamiDemoDev) into parameters.

I found similar questions at - https://learn.microsoft.com/en-us/answers/questions/1283105/user-assigned-managed-identity-with-credentials-ar - This question discussed an approach in which parameters would have to be added manually each time after publishing the data factory.

and https://learn.microsoft.com/en-us/answers/questions/904900/parameterization-of-user-assigned-managed-identity - I tried this approach but it didn't work and the ARM template generated still had the UAMI name and resourceId as a string instead of a parameter.

So, in both of these questions I was unable to find a solution to my issue. Can you please help me regarding this? Thank you!

Answer 1

One approach you could consider is using Global Parameters in Azure Data Factory and referencing these in your linked services instead of hardcoded values, you may be able to resolve the issue. When publishing, these should be exported as parameters in the ARM template, potentially solving your problem.

Another option is to implement a post-processing script that runs after the ARM template is generated. This script, which could be written in PowerShell or Python, would automatically replace the hardcoded UAMI names with parameters. You could integrate this script into your CI/CD pipeline to automate the process.

You might also consider using linked templates. This involves creating a separate ARM template for your linked services with parameters for UAMI names, and then referencing this template in your main ADF ARM template. This approach allows you to manage the linked services separately and might provide more flexibility in handling environment-specific configurations.

A potentially simpler solution could be to use dynamic linked services. Instead of creating separate linked services for each environment, you could create a single linked service that uses expressions to determine the correct UAMI at runtime. This approach leverages ADF system variables like @pipeline().globalParameters.Environment to switch between UAMIs dynamically.

If you prefer to address this at the deployment level, you could use the ARM template deployment task in your Azure DevOps pipeline. This allows you to override the UAMI parameters during deployment. While this approach doesn't solve the ARM template issue directly, it provides a workaround for successful deployments across environments.

I would recommend trying either the Global Parameters approach or the Dynamic Linked Services method first. These are native ADF features that should solve your problem without requiring external scripts or manual interventions. However, the best solution may depend on your specific setup and requirements.