0

I am trying to create storage account, blob storage and then trying to create role on storage account. Below is the code storagedeploy.json:

 {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "Project": {
          "type": "string",
          "metadata": {
            "description": "Project name"
          }
        },
        "Environment": {
          "type": "string",
          "metadata": {
            "description": "Project name"
          }
        },
        "location": {
          "type": "string",
          "metadata": {
            "description": "Location for all resources."
          }
        }
      },
      "variables": {
        "storageAccountName": "[toLower(concat(parameters('Project'), parameters('Environment'), uniqueString(resourceGroup().id)))]"
      },
      "resources": [
        {
          "type": "Microsoft.Storage/storageAccounts",
          "apiVersion": "2019-04-01",
          "name": "[variables('storageAccountName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "Standard_LRS",
            "tier": "Standard"
          },
          "kind": "StorageV2",
          "properties": {
            "networkAcls": {
              "bypass": "AzureServices",
              "virtualNetworkRules": [],
              "ipRules": [],
              "defaultAction": "Allow"
            },
            "supportsHttpsTrafficOnly": true,
            "encryption": {
              "services": {
                "file": {
                  "enabled": true
                },
                "blob": {
                  "enabled": true
                }
              },
              "keySource": "Microsoft.Storage"
            },
            "accessTier": "Hot"
          }
        },
        {
          "type": "Microsoft.Storage/storageAccounts/blobServices",
          "apiVersion": "2019-04-01",
          "name": "[concat(variables('storageAccountName'), '/default')]",
          "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
          ],
          "properties": {
            "cors": {
              "corsRules": []
            },
            "deleteRetentionPolicy": {
              "enabled": false
            }
          }
        },
        {
          "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
          "apiVersion": "2019-04-01",
          "name": "[concat(variables('storageAccountName'), '/default/mycompany-project123-dev-data-store-ue1')]",
          "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('storageAccountName'), 'default')]",
            "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
          ],
          "properties": {
            "publicAccess": "None"
          }
        },
        {
          "type": "Microsoft.Authorization/roleAssignments",
          "name": "[guid(resourceGroup().id)]",
          "apiVersion": "2019-04-01-preview",
          "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('storageAccountName'), 'default')]",
            "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
          ],
          "properties": {
            "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
            "principalId": "xxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxx",
            "scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
          }
        }

      ]
    }

on execution, i am getting below issue:

PS C:\work\azure\azure-devops\resourcetemplates\staticresources> az group deployment create --resource-group myproject-devops --template-file .\storagedeploy.json
Please provide string value for 'Project' (? for help): ert
Please provide string value for 'Environment' (? for help): fds
Please provide string value for 'location' (? for help): eastus2
Deployment failed. Correlation ID: xxxx-x-x-x-x--x-xxxxxxx. {
  "error": {
    "code": "InvalidCreateRoleAssignmentRequest",
    "message": "The request to create role assignment 'xxxx--x-x-x--x-x-x-sxxssxxx' is not valid. Role assignment scope '/subscriptions/xxxxxxxx3-xxxxxxxd-xxxxxxxd-xxe-xxxxxxxx2/resourceGroups/myproject-devops/providers/Microsoft.Storage/storageAccounts/ertfds5h4nafspjqzii' must match the scope specified on the URI '/subscriptions/xxxxxxxx3-xxxxxxxd-xxxxxxxd-xxe-xxxxxxxx2/resourcegroups/myproject-devops'."
  }
}

I tried to google, but getting different solutions. Where exactly i am missing. I tried to follow this issue on stack-overflow

Also, i am trying to assign permission to particular resource like: To assign to storage, below is code which is working fine:

{
      "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
      "name": "[concat(variables('storageAccountName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
      "apiVersion": "2019-04-01-preview",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('storageAccountName'), 'default')]",
        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
        "principalId": "[parameters('principalId')]",
        "scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
      }
    }

But same i need to do with cosmosDB, redis cache, key vault, but its not working, any idea where i am missing. Below are codes:

For cosmosDB::

{
      "type": "Microsoft.DocumentDB/databaseAccounts/providers/roleAssignments",
      "name": "[concat(variables('cosmosDBAccountName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
      "apiVersion": "2019-04-01-preview",
      "dependsOn": [
        "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', variables('cosmosDBAccountName'), parameters('Project'))]",
        "[resourceId('Microsoft.DocumentDB/databaseAccounts', variables('cosmosDBAccountName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450')]",
        "principalId": "[parameters('principalId')]",
        "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', variables('cosmosDBAccountName'))]"
      }
    }

For Redis cache::

{
      "type": "Microsoft.Cache/Redis/providers/roleAssignments",
      "name": "[concat(variables('redisCacheName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
      "apiVersion": "2019-04-01-preview",
      "dependsOn": [
        "[resourceId('Microsoft.Cache/Redis', variables('redisCacheName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17')]",
        "principalId": "[parameters('principalId')]",
        "scope": "[resourceId('Microsoft.Cache/Redis', variables('redisCacheName'))]"
      }
    }

For Key vault:

{
      "type": "Microsoft.KeyVault/vaults/providers/roleAssignments",
      "name": "[concat(variables('keyVaultName'),'/Microsoft.Authorization/',guid(subscription().subscriptionId))]",
      "apiVersion": "2019-04-01-preview",
      "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395')]",
        "principalId": "[parameters('principalId')]",
        "scope": "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
      }
    }
KCS
  • 2,937
  • 4
  • 22
  • 32

2 Answers2

0

this means the role you are trying to assign cannot be assigned to that scope. you should either alter the role to allow it to be assigned to that scope or you should use another role\create a new custom role.

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#assignablescopes

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
0

Made some changes into your json, and it worked on my side now:

 {....
     .......
        ......

        {
          "type": "Microsoft.Authorization/roleAssignments",
          "name": "[guid(resourceGroup().id)]",
          "apiVersion": "2019-04-01-preview",
          "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('storageAccountName'), 'default')]",
            "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
          ],
          "properties": {
            "roleDefinitionId": "[concat(resourceGroup().id, '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
            "principalId": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
            "scope": "[resourceGroup().Id]"
          }
        }

      ]
    }

As the error said, here you should let your roleassignment scope same with your resource group.

enter image description here

enter image description here

Mengdi Liang
  • 17,577
  • 2
  • 28
  • 35
  • Merlin - Is it possible to assign role with scope particular to this resource only rather than resource at resourcegroup level? What changes i need to do? – KCS Dec 03 '19 at 09:28