What is GEN-AZUREAD-OBJECTID in 101-key-vault-create/azuredeploy.parameters.json?

[afarber]

Hello and good evening,

I have a question please (and I am trying to create a keyvault from a pipeline in a previously manually created resource group):

What value should be used instead of GEN-AZUREAD-OBJECTID in 101-key-vault-create/azuredeploy.parameters.json?

I see the explanation in 101-key-vault-create/azuredeploy.json

"objectId": {
  "type": "string",
  "metadata": {
    "description": "Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets."
  }
},

However I am not quite sure where to get that, since my pipeline uses a subscription (the task below uses a manually created keyvault, but I am trying to create a keyvault by an ARM template):

  - task: AzureKeyVault@1
    inputs:
      azureSubscription: 'My.org Shared Subscription'
      KeyVaultName: '${{ parameters.KeyVaultName }}'
      SecretsFilter: '*'

Here I have tried deploying the template manually (while testing your ARM template) -

And I see that there is a new keyvault in my afarber-test-rg.

However I cannot see the my-secret-1:

Have I specified a wrong object id maybe?

Thank you

[bmoore-msft]

The objectId is the "guid" of the principal/user you want to give access to the vault. In you screenshot there's a gold bar that says something when wrong... check the accessPolicies on the vault in the portal and see what set there (and/or just refresh that page).

As for your pipeline, it depends on what accessPolicy you want to set - do you want the principal deploying the template to have access to the vault? If so the same steps would apply (to get the objectID) - or if it's a different user, you'd just supply that as a param or build variable.

That help?

[afarber]

Thank you Brian, that has helped and I am able to deploy Redis. Could I please ask you a follow-up question? I am trying to retrieve the primaryKey for my "outputs", but the following fails:

    "outputs": {
      "RedisCacheEndpoint": {
        "type": "string",
        "value": "[concat(reference(parameters('redisCacheName')).hostName, ':', reference(variables('resourceName')).sslPort)]"
      },
      "RedisCachePassword": {
        "type": "string",
        "value": "[reference(parameters('redisCacheName')).properties.primaryKey]"
      }
    },

And I have also tried:

        "value": "[reference(parameters('redisCacheName')).properties.accessKeys.primaryKey]"

The error message is:

DeploymentOutputEvaluationFailed: The template output 'RedisCachePassword' is not valid: The language expression property 'primaryKey' can't be evaluated..

[bmoore-msft]

you need to use a list* action (listKeys in this case) to retrieve a secret (since they require separate permissions)... but don't put that in your outputs, we don't allow it in the repo (though I'm sure you'll find some violations) and it makes the key available to anyone who has perms on the resource group (even if they don't have access to the secret).

[afarber]

Thank you