Managed Identity Azure Role Assignments?

Question

I'm trying to add the Service Bus Receiver role to a User Assigned Managed Identity via an ARM template.

i.e. this role. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azure-service-bus-data-receiver

Here is the template

    // User Assigned Managed Identity

    {
        "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
        "apiVersion": "2018-11-30",
        "name": "MyManagedIdentity",
        "location": "[resourceGroup().location]",
    },

    // User Assigned Managed Identity Role

    {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2020-04-01-preview",
        "name": "[guid(resourceGroup().id)]",
        "dependsOn": [
            "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/','MyManagedIdentity')]"
        ],
        "properties": {
            "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
            "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'MyManagedIdentity'), '2018-11-30').principalId]",
        }
    },

and it's return this error.

Status Message: Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (Code:RoleAssignmentUpdateNotPermitted)

I'm not sure what is wrong.

I've looked at this quickstart. https://learn.microsoft.com/en-us/azure/role-based-access-control/quickstart-role-assignments-template

The principalId should be from the managed identity i would think. and the roleDefinitionId from the id of the service bus role.

Jagrati Modi · Answer 1 · 2021-03-18T05:09:07.743

0

The issue that you are facing is when you deploy the ARM template for first time the identity is recently created that has not yet been fully replicated so you might notice that the security principal (user, group, service principal, or managed identity) is listed as Identity not found with an Unknown type.

And when you try to update the same Role assignment by redeploying the template it gives you error "Tenant ID, application ID, principal ID, and scope are not allowed to be updated" because role assignment with the same ID already exists and it does not allow to update it.

Better option would be you first create the identity with separate template and then create the role assignment. And for Azure Service Bus Data Receiver, ID in the template should be:

/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0

Please refer this documentation for details.

edited Mar 18 '21 at 05:09

answered Mar 17 '21 at 05:02

Jagrati Modi

2,038
1
13
26

I'm not sure that is it because it never works. Even if I put it in a different ARM template and reference the already existing managed identity. I think the issue is i'm using the wrong roleassignment, or maybe the one i'm looking for doesn't exist? I'm trying to set the "Azure role assignments" of the managed identity, not the "Access control - IAM" – randy Mar 17 '21 at 10:44
I added in a picture of what i'm trying to set – randy Mar 17 '21 at 10:59
It works for me, with this template the role assignment that is created is same as Azure Role assignment. Check the updated answer with image. – Jagrati Modi Mar 18 '21 at 05:07
Yeah, it works for me too, when that's the only 2 resources in my template. I have 12 other resources too. I'm going to try to put dependencies on the other resources to see if that helps. Otherwise i'll have to do what you said and make it a separate template. – randy Mar 18 '21 at 11:43
Turns out it worked going to a different resource group. Not exactly sure why. Though it could also be because i added a scope. "scope": "[resourceGroup().id]" – randy Mar 18 '21 at 23:45
Great it worked! It takes ResourceGroup as default option for Scope. – Jagrati Modi Mar 19 '21 at 04:34

Managed Identity Azure Role Assignments?

1 Answers1