Resource level RBAC using ARM templates are not working

Question

Resource level RBAC using ARM templates are not working

55 Views Asked by Vowneee At 12 November 2023 at 12:51

We were trying to create an automation pipeline in Azuredevops to assign roles in resource level for any kind of resources. and used below templae for that purpoe.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "roleDefinitionId": {
        "type": "string"
      },
      "principalId": {
        "type": "string"
      }
    },
    "variables": {
      "roleAssignmentName": "[guid(parameters('principalId'), parameters('roleDefinitionID'), resourceGroup().id)]"
    },
    "resources": [
      {
        "type": "Microsoft.OperationalInsights/querypacks",
        "apiVersion": "2021-04-01-preview",
        "name": "[variables('roleAssignmentName')]",
        "properties": {
          "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
          "principalId": "[parameters('principalId')]"
        }
      }
    ]
  }

parameters.json

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": { 
       "roleDefinitionId": {
         "value": "#{roleDefinitionId}#"
       },
       "principalId": {
         "value": "#{principalId}#"
       }
                            
    } 
  }

Created Azuredevops Task to replace the parameters files "principalid" and "roledefinitionid" ids and when performing arm deployment group task with the updated templates, its failing.

Note: In my above example, i tried to assign the Contributor assignment only to a specific resource qpck-1 for a specific group.

is there any way to use same template to assign the roles at resource level for different kind of resources.

Original Q&A

There are 2 best solutions below

viktorh On 01 December 2023 at 19:55

it seems like you are missing "scope" ?

for ex:

  {
  "scope": "[format('Microsoft.ServiceBus/namespaces/{0}', variables('mySBnameSpace'))]",
  "type": "Microsoft.Authorization/roleAssignments",
  "apiVersion": "2018-09-01-preview",
  "name": "[guid(variables('functionAppName'))]",
  "properties": {
    "roleDefinitionId": "[variables('ServiceBusReceiverRole')]",
    "principalId": "[parameters('principalId')]"
  }
}

**agamil** · Accepted Answer · 2023-11-12T13:39:22.137000

the template shows the resource querypacks explicitly, however, it should be parameterized

So you could change

 "type": "Microsoft.OperationalInsights/querypacks"

to

"type": "[parameters('resourceType')]"

And in the parameter file add the following

    "resourceType": {
        "value": "#{resourceType}#"
    },
    "resourceName": {
        "value": "#{resourceName}#"
    }

Where the resourceType could be any type you need like "Microsoft.Compute/virtualMachines", and the resourceName cloud be the name of the VM like ODS_VM

And, by the way, it is better to provide the error message to be sure about the cause and the resolution.

Hope that help

Resource level RBAC using ARM templates are not working

There are 2 best solutions below

Related Questions in AZURE

Related Questions in AZURE-RESOURCE-MANAGER

Related Questions in AZURE-RM-TEMPLATE

Trending Questions

Popular # Hahtags

Popular Questions