Post

Azure Pipelines: How to get the current service principal id

How to get the id of the service principal running the current task in Azure Pipelines

Azure Pipelines: How to get the current service principal id

This a quick post for sharing a solution to a problem I have faced recently: in an Azure pipeline running Azure CLI tasks, how can I get the current service principal id ?
Well, it’s a little less simple than it sounds, let’s find out !

The solution

I will go straight to the point here and reveal the solution with this command:
az ad sp show --id "$(az account show --query user.name -o tsv)" --query id -o tsv

It can be used like this in your pipeline’s yaml file:

1
2
3
4
5
6
7
8
9
steps:
  - task: AzureCLI@2
    name: GetCurrentSpId
    inputs:
      azureSubscription: your-azurerm-service-connection
      scriptType: bash
      scriptLocation: inlineScript
      inlineScript: |
        az ad sp show --id "$(az account show --query user.name -o tsv)" --query id -o tsv

So you can take this and adapt it to you situation right now, that’s fine, I do this all the time when I stumble upon some random blog post 🤫
If you want to know why this works, you can also read on 😉

A few explanations

Initially I had this question because I needed to access a Key Vault’s existing secret in a Bicep deployment. That implies creating a role assignment with the Secrets User role to the service principal running my pipeline (and of course the Bicep deployment).

First I tried to get the sp id with the az ad signed-in-user show command but it works only for users and returns an error (/me request is only valid with delegated authentication flow.) when authenticated as a service principal.

Another approach is to use the addSpnToEnvironment input of the AzureCLI task: it adds the $servicePrincipalId to the script but using this id for role assignment doesn’t work out of the box.
As confusing as things can be in the world of AzureAD/Entra ID, the $servicePrincipalId variable exposes the Application ID of your Enterprise Application, but for a role assignment you need the Object ID: Enterprise App's UI in Azure PortalYou can check if you use the right id here in the Azure Portal

Obviously if the wrong id is used for the role assignment, it will look like this in the portal: Identity not found for role assignment in Azure PortalThis is not fine

So finally to make this work we need to use the az ad sp show command to get the Object ID from the Application ID. It still can be done like this with the addSpnToEnvironment input:

1
2
3
4
5
6
7
8
9
10
steps:
  - task: AzureCLI@2
    name: GetCurrentSpId
    inputs:
      addSpnTEnvironment: true
      azureSubscription: your-azurerm-service-connection
      scriptType: bash
      scriptLocation: inlineScript
      inlineScript: |
        az ad sp show --id "$servicePrincipalId" --query id -o tsv

Or without the addSpnToEnvironment input by combining the az account show command (to get the Application ID) with the az ad sp show command as shown at the beginning of this post.
With any of these two approaches the role assignment will appear like this in the portal: Identity found for the role assignment in Azure PortalThis is much better

Wrapping-up

In this post we have seen that getting the current service principal of an Azure Pipeline is not that easy, but not that complicated either. I hope it’s useful, I’m pretty sure my future self will be happy to check this post in a few months or years 😅

This post is licensed under CC BY 4.0 by the author.