Role Assignment for User Assigned Identity doesn't work with Storage Accounts.
See original GitHub issue@ninjarobot this might be one for you to help with!
In Farmer 1.3 we’ve moved over to using the explicit roleAssignments
resource. Here’s an example from a newly-generated template that is running over a storage account:
{
"apiVersion": "2020-04-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', 'xxx')]"
],
"name": "xxx",
"properties": {
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'xxx')).principalId]",
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'xxx')]",
"scope": "[resourceId('Microsoft.Storage/storageAccounts', 'xxx')]"
},
"type": "Microsoft.Authorization/roleAssignments"
}
It doesn’t work - here’s a (redacted) error message
The request to create role assignment 'xxx' is not valid. Role assignment scope '/subscriptions/xxx/resourceGroups/my-resource-group-name/providers/Microsoft.Storage/storageAccounts/xxx' must match the scope specified on the URI '/subscriptions/xxx/resourcegroups/xxx'.\
1.2 used the storage account role provider:
{
"apiVersion": "2018-09-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', 'xxx')]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'xxx')]"
],
"name": "xxx/Microsoft.Authorization/xxx",
"properties": {
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'xxx')).principalId]",
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'xxx')]"
},
"tags": {
"displayName": "StorageBlobDataReader (xxx)"
},
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments"
}
The main difference that I can see is that the new one adds scope and principal type. I suspect that either the extra fields added (scope / principaltype) are stopping things working. What do you think?
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Azure Bicep authorization roleassignements to storage ...
We are trying to assign a user-assigned managed identity to a storage account using Microsoft.
Read more >Unable to assign RBAC role to storage account if existing " ...
This looks like that the role assignment name (a guid) is reused, which causes the error that says it tries to update an...
Read more >Deploy azure function app with managed identity for ...
I believe you would need to create a system assigned managed identity for the Function app and assign it appropriate RBAC roles on...
Read more >Azure Function and User Assigned Managed Identities
Click Access Control (IAM) · Click Role Assignments tab · Click + Add button and choose: Add Role Assignment menu item · Select...
Read more >How to use managed identities for App Service and Azure ...
For App Service: · In the left-hand menu, under the "Settings" section, click on "Identity." · In the "System assigned" tab, switch the...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Taking a look now, sorry I’ve been afk for a couple days.
I’ve created a PR for this. @ninjarobot if you get five minutes, can you just scan through to check I’ve not screwed up something? Cheers.