I have a Service Catalog Managed Application defined via ARM template. Inside the template I create a linux VM and run a custom script that downloads required files from an existing Azure Blob storage and starts my app.
I want to use RBAC to grant access to an existing blob storage, so that any access key or token is not specified inside the template, and the user deploying the Managed Application does not need to input any key or token.
Therefore I have following role assignment on my VM to access different resource group, taking inspiration from this answer
{
"type": "Microsoft.Resources/deployments",
"name": "nested-role-assignment",
"apiVersion": "2017-05-10",
"resourceGroup": "myResourceGroup",
"subscriptionId": "[subscription().subscriptionId]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-01-01-preview",
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"name": "[concat('myStorageAccount', '/Microsoft.Authorization/', guid(subscription().subscriptionId, 'foo'))]",
"properties": {
"roleDefinitionId": "[variables('StorageBlobContributor')]",
"principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines', variables('vmName')),'2019-12-01', 'Full').identity.principalId]",
"scope": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount')]"
}
}
]
}
}
}
This works when I deploy my managed app using CLI logged in as the azure portal global administrator.
When I create a managed application definition, and deploy the app from Service Catalog as an Azure AD user I get the error -
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"ApplianceDeploymentFailed\",\r\n \"message\": \"The operation to create appliance failed. Please check operations of deployment 'managed-app' under resource group '/subscriptions/<subscr-id>/resourceGroups/<managed-rg>'. Error message: 'At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.'\",\r\n \"details\": [\r\n {\r\n \"code\": \"BadRequest\",\r\n \"message\": \"{\\r\\n \\\"error\\\": {\\r\\n \\\"code\\\": \\\"InvalidTemplateDeployment\\\",\\r\\n \\\"message\\\": \\\"The template deployment failed with error: 'Authorization failed for template resource 'myResourceGroup/Microsoft.Authorization/<some-id>' of type 'Microsoft.Storage/storageAccounts/providers/roleAssignments'. The client '<client-id>' with object id '<client-id>' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/<subscr-id>/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount/providers/Microsoft.Authorization/roleAssignments/<some-id>'.'.\\\"\\r\\n }\\r\\n}\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}"
}
]
}
where it says the client-id does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write'. I couldn't find what the client-id represents here.
To triage this, I assigned my user "Owner" role so it can "write" a role assignment, but that did not help. Same error is received.
It would make sense that an Azure AD user cannot write a role assignment in a different resource group. In that case, what would be the correct solution here?
In summary, how do I grant access to a VM created by a Service Catalog application, using arm template, so that it can download files from an existing blob storage (using RBAC)?
--EDIT--
I was using a "System Assigned" identity before, but I need a User Assigned identity. Following this guide I created a User Assigned Identity (in the portal), and granted it access to my blob storage. Then I updated my createUiDefinition to select the identity when deploying my Managed Application. The error mentioned above goes away, but the identity is not assigned to the newly created VM.
I tried assigning the identity to VM in the mainTemplate by doing -
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2018-10-01",
"name": "[variables('vmName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
],
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[variables('userAssignedIdentity')]": {}
}
},
but that produces a similar error as before -
"The client 'some-id' with object id 'some-id' has permission to perform action 'Microsoft.Compute/virtualMachines/write'
on scope '/subscriptions/subscr-id/resourcegroups/mrg-20200827143250/providers/Microsoft.Compute/virtualMachines/new-vm';
however, it does not have permission to perform action
'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action'
on the linked scope(s) '/subscriptions/subscr-id/resourceGroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-user-identity' or the linked scope(s) are invalid.
I created the managed application with authorization as "Owner" and "Managed Identity Provider", also logged in with a user that has "Owner" role, but still no luck.
