our Azure-managed app needs to access a storage blob container which would require a storage endpoint URI and SAS token. (storage account is located in publisher's subscription.). for e.g. "ModulesUrl": "[uri(parameters('_artifactsLocation'), concat(parameters('moduleFilePath'), parameters('_artifactsLocationSasToken')))]", Using secrets such as SAS tokens in the managed app is not allowed; however, it is required to access the blob. I tried to access the SAS token from the key vault (publisher's subscription). It is possible to reference the key vault secret for parameters of secure string type, but not for parameters of type string. I can generate the SAS on the fly, but I'm not sure if that's the only option.
2). I need to update once the resource is created within MRG. Can I use a system-assigned identity (note: it's not an existing resource outside of MRG)? Unless the resource is external to MRG, I prefer not to prompt the user to provide an existing identity as part of UIDef
I tried to create a user identity and assign appropriate RBAC within MRG scope programmatically, however, RBAC assignment doesn't seem to work due to deny-all assignments applied to MRG. I can try if delegatedManagedIdentityResourceId could work.