1

So, I am trying to do the following with an ARM template:

  1. Create a new User-assigned Managed Identity (my-managed-identity) in Resource Group my-rg
  2. Assign my-managed-identity the Reader role for my-rg
  3. Assign the role Managed Identity Operator to an AKS Service Principal (my-aks-sp) in my-managed-id

Here is my ARM template to do so: 

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "aksServicePrincipalObjectId": {
            "type": "string",
            "metadata": {
                "description": "The Object Id for the AKS Cluster Service Principal"
            }
        },
    },
    "variables": {
        "managedIdentityName": "my-managed-identity",
        "readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "managedIdOperatorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]"
    },
    "resources": [
        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "name": "[variables('managedIdentityName')]",
            "apiVersion": "2018-11-30",
            "location": "[resourceGroup().location]",
            "resources": [
                {
                    "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments",
                    "name": "[concat(variables('managedIdentityName'), '/Microsoft.Authorization/', guid(parameters('aksServicePrincipalObjectId')))]",
                    "apiVersion": "2018-09-01-preview",
                    "location": "[resourceGroup().location]",
                    "dependsOn": [
                        "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
                    ],
                    "properties": {
                        "roleDefinitionId": "[variables('managedIdOperatorRole')]",
                        "principalId": "[parameters('aksServicePrincipalObjectId')]"
                    }
                }
            ]
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "[guid(variables('managedIdentityName'))]",
            "apiVersion": "2018-09-01-preview",
            "dependsOn": [
                "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
            ],
            "properties": {
                "roleDefinitionId": "[variables('readerRole')]",
                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')),'2018-11-30').principalId]"
            }
        }
    ]
}

The weird thing is that sometimes this deployment doesn't work. I will more often than not get the error: 

New-AzResourceGroupDeployment : 2:56:07 PM - Resource Microsoft.Authorization/roleAssignments 'd62bb9a1-bf0b-5a92-aca1-74beab087ee9' failed with message '{
  "error": {
    "code": "PrincipalNotFound",
    "message": "Principal fad453d06bd042148411606b74525ed2 does not exist in the directory 936529098-bafa-4c91-b54f-f012cc11eeec."
  }
}

Am I missing something here?

deathcat05
  • 429
  • 1
  • 5
  • 18
  • I believe the issue is with the fact that your role assignment name is based on the Managed Identity. ARM reads the artifact, looks for the name that does not exist even before looking whether there is a dependency or not. Can you give it a try? – LMG Mar 04 '20 at 01:18
  • What should I have the name be then? I am just using a variable there that is `my-managed-identity`. – deathcat05 Mar 04 '20 at 01:28
  • @LMGagne I did as you suggessted, and changed the name to `guid(deployment().name)`, and still the same error. The first time it failed, but the second time it was successful. – deathcat05 Mar 04 '20 at 01:44

1 Answers1

6

This documentation from Microsoft solved my problem.

Here is my complete template: 

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "aksServicePrincipalObjectId": {
            "type": "string",
            "metadata": {
                "description": "The Object Id for the AKS Cluster Service Principal"
            }
        },
    },
    "variables": {
        "managedIdentityName": "my-managed-identity",
        "readerRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "managedIdOperatorRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]"
    },
    "resources": [
        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "name": "[variables('managedIdentityName')]",
            "apiVersion": "2018-11-30",
            "location": "[resourceGroup().location]",
            "resources": [
                {
                    "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments",
                    "name": "[concat(variables('managedIdentityName'), '/Microsoft.Authorization/', guid(parameters('aksServicePrincipalObjectId')))]",
                    "apiVersion": "2018-09-01-preview",
                    "location": "[resourceGroup().location]",
                    "dependsOn": [
                        "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
                    ],
                    "properties": {
                        "roleDefinitionId": "[variables('managedIdOperatorRole')]",
                        "principalId": "[parameters('aksServicePrincipalObjectId')]",
                        "principalType": "ServicePrincipal" // This solved my issue
                    }
                }
            ]
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "[guid(variables('managedIdentityName'))]",
            "apiVersion": "2018-09-01-preview",
            "dependsOn": [
                "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('managedIdentityName'))]"
            ],
            "properties": {
                "roleDefinitionId": "[variables('readerRole')]",
                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('managedIdentityName')),'2018-11-30').principalId]",
                "scope": "[resourceGroup().id]" //This is what I added to get it to work! 
            }
        }
        ]

}
deathcat05
  • 429
  • 1
  • 5
  • 18