0

I have two AAD Application(Service principal) and want to add RBAC to these two Application using arm template.

I tried deploying with arm template below.

    {
        "type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
        "apiVersion": "2018-09-01-preview",
        "name": "[concat(parameters('StorageAccountName'), '/default/',parameters('ContainerName'), '/Microsoft.Authorization/', parameters('roleNameGuid'))]",
        "properties": {
          "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
          "principalId": "[parameters('principalId')]"
        }      
    },
    {
        "type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
        "apiVersion": "2018-09-01-preview",
        "name": "[concat(parameters('StorageAccountName'), '/default/',parameters('ContainerName'), '/Microsoft.Authorization/', parameters('roleNameGuid'))]",
        "properties": {
          "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
          "principalId": "[parameters('principalId2')]"
        }      
    }

When I deploy with this arm template, I got error below.

    Deployment template validation failed: 'The resource 'Microsoft.Storage/storageAccounts/MystorageAccounts/blobServices/default/containers/test/providers/Microsoft.Authorization/roleAssignments/aacd4b89-a70f-4be9-a0ba-6b8698dd7129' at line '52' and column '9' is defined multiple times in a template. Please see https://aka.ms/arm-template/#resources for usage details.'. (Code: InvalidTemplate)
4c74356b41
  • 69,186
  • 6
  • 100
  • 141
Sako
  • 105
  • 1
  • 8

2 Answers2

2

You need to use different names for the name option in the resource. For example, you can append a number at the end of the name to distinguish the difference.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • Are you referring to the line `"[concat(parameters('StorageAccountName'), '/default/',parameters('ContainerName'), '/Microsoft.Authorization/', parameters('roleNameGuid'))]",`? This is how the resource and role is defined. You can't append a number to the end of the role guid? – Skillie Mar 29 '23 at 14:04
0

Wouldn't this work as well, and take away the hardcoded value of the guid?: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions-string#guid

Yes it will require some input to calculate a different GUID, but you could use property iteration to change that: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-multiple#property-iteration

Marco
  • 525
  • 4
  • 17