Track Deployments Easily Using az.deployer().objectId

Bicep continues to evolve as one of the most powerful tools for declarative infrastructure deployment tool in Azure.

With the release of Bicep v0.32, a feature has been introduced: the ability to retrieve the principal ID of the user or identity executing the Bicep deployment, using the az.deployer().objectId function.

This feature enhances visibility and traceability in deployment operations, making it easier to implement governance and compliance practices.

Let’s get started.

What is az.deployer().objectId?

The az.deployer().objectId function belongs to the az namespace in Bicep and retrieves the object ID (principal ID) of the identity performing the deployment. This identity could be.

  • The user executing the deployment
  • A service principal
  • A managed identity, if used in the deployment process

This functionality ensures that deployment details, such as the executor's identity, can be captured programmatically within the resource declarations.

Why is This Important?

In modern DevOps and governance practices, it's crucial to know who initiated a deployment for reasons including.

  • Audit trails and compliance
  • Tagging and ownership assignment for deployed resources
  • Debugging and tracing deployment issues

With az.deployer().objectId, automating the inclusion of this metadata in resource configurations becomes effortless.

Simple Use Case: Adding a created-by-tag Tag

One practical application of this feature is tagging resources with a created-by tag that records the principal ID of the user or identity responsible for creating the resource. Here's an example:

Example. Tagging a Storage Account with created-by.

param storageAccountName string = <storage account unique id>
param location string = resourceGroup().location

resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
  tags: {
    'created-by': az.deployer().objectId
  }
}
output deployerObjectId string = az.deployer().objectId

As shown in the below screenshots, my objective in Azure Entra is matching with the one that is created in the created-by tag of the Storage Account.

Object Id in Microsoft Entra Id

Microsoft

Tag in Storage Account

Storage account

Conclusion

The introduction of the az.deployer().objectId function in Bicep v0.32 is a significant step forward for Azure's Infrastructure-as-Code capabilities. Capturing the object ID automatically is a significant step for simplifying the governance, auditing, and resource tracking.

Note. As it’s a new feature, you may run into syntactical issues. Try upgrading both Azure CLI and Bicep using the below commands

  1. Az upgrade
  2. Az bicep upgrade

Up Next
    Ebook Download
    View all
    Learn
    View all