0

My template is below along with an error which does not make sense since scope seems to be in correct order and it's allowed to use this notation per (https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/create)

    {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2017-05-01",
        "name": "[ guid(resourceGroup().id, 'windowsserverstorage')]",
        "dependsOn": ["[variables('storageaccountname')]"],
        "properties": {
            "roleDefinitionId": "[variables('Contributor')]",
            "principalId": "063fe2f0-7448-48e4-8661-dbb4e9f85d39",
            "scope": "/subscriptions/24ba3e4c-45e3-4d55-8132-6731ca25547f/resourceGroups/MyDemo/providers/Microsoft.Storage/storageAccounts/wkstorage2pzpd"
        }
    }   ,

Error is below 

Resource Microsoft.Authorization/roleAssignments '1aed14fd-8f7c-5636-989b-7c134b353fcc' failed with message '{
  "error": {
    "code": "InvalidCreateRoleAssignmentRequest",
    "message": "The request to create role assignment '1aed14fd-8f7c-5636-989b-7c134b353fcc' is not valid. Role assignment scope 
'/subscriptions/24ba3e4c-45e3-4d55-8132-6731cf25547f/resourceGroups/myDemo/providers/Microsoft.Storage/storageAccounts/wkstorage2pzpd' must match the scope specified on the URI 
'/subscriptions/24ba3e4c-45e3-4d55-8132-6731cf25547f/resourcegroups/myDemo'."
  }
}'

If I try to assign a different way like below then different error is being thrown

{
        "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
    "apiVersion": "2017-05-01",
    "name": "[concat('wkstorage2pzpd/blobServices/default/networkadmins', '/Microsoft.Authorization/', guid(resourceGroup().id, '1231'))]",
    "dependsOn": [
            "[variables('storageaccountname')]"
    ],
    "properties": {
        "roleDefinitionId": "[variables('Contributor')]",
        "principalId": "063fe2f0-7448-48e4-8661-dbb4e9f85d39"
    }
},

Error

The template resource 
'wkstorage2pzpd/blobServices/default/Microsoft.Authorization/a4b69ebe-d58c-5309-9385-0a2e26d343a3' for type 'Microsoft.Storage/storageAccounts/providers/roleAssignments' at line '179' and column '9' has incorrect segment lengths. 
A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage 
details.'.
Gregory Suvalian
  • 3,566
  • 7
  • 37
  • 66

3 Answers3

2

If you want to assign a role to the service principal in the storage account level, try the template as below, it works fine on my side.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "String",
            "metadata": {
                "description": "The principal to assign the role to"
            }
        },
        "builtInRoleType": {
            "allowedValues": [
                "Owner",
                "Contributor",
                "Reader"
            ],
            "type": "String",
            "metadata": {
                "description": "Built-in role to assign"
            }
        }
    },
    "variables": {
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "TestVariable": "[concat('YourStorageAccountName','/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
            "name": "[variables('TestVariable')]",
            "apiVersion": "2017-05-01",
            "properties": {
                "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
                "principalId": "[parameters('principalId')]"
            }
        }
    ]
}

enter image description here

Besides, if you want to assign the role in the Container level, see this link.

{
            "type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
            "apiVersion": "[variables('apiVersion')]",
            "name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID",
            "properties": {
                "roleDefinitionId": "[variables('StorageBlobDataContributor')]",
                "principalId": "[parameters('principalId')]"
            }
        }
Joy Wang
  • 39,905
  • 3
  • 30
  • 54
0

In addition to Joy's answer you may use below template as well, which works fine for me.

Parameters template:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "principalId": {
      "value": "xxxxxxxxxxxxxxxxxxxxxxxx"
    },
    "builtInRoleType": {
      "value": "xxxxxxxxxxx"
    },
    "roleNameGuid": {
      "value": "xxxxxxxxxxxxxxxxxxxxxxxx"
    },
    "storageAccountName": {
      "value": "xxxxxxxxxxxxxxxxxxxxxxxx"
    }
  }
}

Main template:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "principalId": {
      "type": "string",
      "metadata": {
        "description": "The principal to assign the role to"
      }      
    },
    "builtInRoleType": {
      "type": "string",
      "allowedValues": [
        "Owner",
        "Contributor",
        "Reader"
      ],
      "metadata": {
        "description": "Built-in role to assign"
      }      
    },
    "roleNameGuid": {
      "type": "string",
      "metadata": {
        "description": "A new GUID used to identify the role"
      }      
    },
    "storageAccountName": {
        "type": "string",
        "metadata": {
            "description": "Name of the storage account"
        }
    }
  },
  "variables": {
    "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
    "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
    "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
    "resourceName": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', parameters('roleNameGuid'))]"

  },
  "resources": [
    {
      "type": "/Microsoft.Storage/storageAccounts/providers/roleAssignments",
      "apiVersion": "2017-05-01",
      "name": "[variables('resourceName')]",
      "properties": {
        "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
        "principalId": "[parameters('principalId')]"
      }
    }
  ]
}
KrishnaG
  • 3,340
  • 2
  • 6
  • 16
0

He is attempting to create a role assignment at the level/scope of the resource itself.

If you verify the selected answer with this --> Az role assignment list --all You will see that (with the selected answer) you are setting the scope to the resource group not the resource itself. The answer given is wrong. Right?

WiredLessInTX
  • 113
  • 1
  • 6