What is the managed identity for Azure Blueprints?

Question

I'm trying to assign a Blueprint which creates a VMSS with a custom image. The custom image is in a shared image gallery in a different subscription so I need to use RBAC to allow access. I've created a role assignment in the shared image gallery which grants the Reader role to the Azure Blueprint enterprise application (object id: ffeb3a44-712a-4d2e-9b97-b1e032a40b29) but the assignment fails, saying that object id 'f2f4f713-d1b3-4507-ba31-dce20ec728b6' does not have permission to read from my shared image gallery.

I have been unable to determine which managed identity has the object id 'f2f4f713-d1b3-4507-ba31-dce20ec728b6'. What is the managed identity that is used by Azure Blueprint with the object id 'f2f4f713-d1b3-4507-ba31-dce20ec728b6'?

Answer 1

I found the answer to my question. When an assignment is created a managed identity is created for the assignment. In my case 'f2f4f713-d1b3-4507-ba31-dce20ec728b6' is the object id for the managed identity that is associated with my assignment. I gave my assignment Reader access to the shared image gallery and my blueprint deployed successfully.

It's a little odd, but to make this case work one must first create the assignment and expect it to fail. After it fails you can then give the assignment the Reader role to whatever resource it requires. Once that is done you can go back to the assignment and rerun it by selecting Update assignment and the assignment will no longer be blocked by not having access to the resource.