question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Role Assignment for User Assigned Identity doesn't work with Storage Accounts.

See original GitHub issue

@ninjarobot this might be one for you to help with!

In Farmer 1.3 we’ve moved over to using the explicit roleAssignments resource. Here’s an example from a newly-generated template that is running over a storage account:

    {
      "apiVersion": "2020-04-01-preview",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', 'xxx')]"
      ],
      "name": "xxx",
      "properties": {
        "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'xxx')).principalId]",
        "principalType": "ServicePrincipal",
        "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'xxx')]",
        "scope": "[resourceId('Microsoft.Storage/storageAccounts', 'xxx')]"
      },
      "type": "Microsoft.Authorization/roleAssignments"
    }

It doesn’t work - here’s a (redacted) error message

The request to create role assignment 'xxx' is not valid. Role assignment scope '/subscriptions/xxx/resourceGroups/my-resource-group-name/providers/Microsoft.Storage/storageAccounts/xxx' must match the scope specified on the URI '/subscriptions/xxx/resourcegroups/xxx'.\

1.2 used the storage account role provider:

    {
      "apiVersion": "2018-09-01-preview",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', 'xxx')]",
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'xxx')]"
      ],
      "name": "xxx/Microsoft.Authorization/xxx",
      "properties": {
        "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'xxx')).principalId]",
        "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'xxx')]"
      },
      "tags": {
        "displayName": "StorageBlobDataReader (xxx)"
      },
      "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments"
    }

The main difference that I can see is that the new one adds scope and principal type. I suspect that either the extra fields added (scope / principaltype) are stopping things working. What do you think?

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
ninjarobotcommented, Dec 24, 2020

Taking a look now, sorry I’ve been afk for a couple days.

1reaction
isaacabrahamcommented, Dec 24, 2020

I’ve created a PR for this. @ninjarobot if you get five minutes, can you just scan through to check I’ve not screwed up something? Cheers.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Azure Bicep authorization roleassignements to storage ...
We are trying to assign a user-assigned managed identity to a storage account using Microsoft.
Read more >
Unable to assign RBAC role to storage account if existing " ...
This looks like that the role assignment name (a guid) is reused, which causes the error that says it tries to update an...
Read more >
Deploy azure function app with managed identity for ...
I believe you would need to create a system assigned managed identity for the Function app and assign it appropriate RBAC roles on...
Read more >
Azure Function and User Assigned Managed Identities
Click Access Control (IAM) · Click Role Assignments tab · Click + Add button and choose: Add Role Assignment menu item · Select...
Read more >
How to use managed identities for App Service and Azure ...
For App Service: · In the left-hand menu, under the "Settings" section, click on "Identity." · In the "System assigned" tab, switch the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found