1

I need to grant Reader access to my Managed Application outside of the application resource group. The user deploying the app is Owner on the subscription so the deployment should go through but it currently fails because the resource deployment happens under the identity of Appliance Resource Provider instead of the user. Is there a way to create role assignments with Managed Applications?

Snippet of mainTemplate.json (MSI creation + nested-template trying to create the role assignment at the subscription scope):

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {...},
  "variables": {...},
  "resources": [
    {
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
      "name": "[parameters('applicationName')]",
      "apiVersion": "2018-11-30",
      "location": "[parameters('location')]"
    },
...
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2019-10-01",
      "name": "[variables('name')]",
      "subscriptionId": "[subscription().subscriptionId]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('applicationName'))]"
      ],
      "properties": {
        "mode": "Incremental",
        "expressionEvaluationOptions": {
          "scope": "inner"
        },
        "parameters": {
          "principalId": {
            "value": "[reference(resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('applicationName'))).principalId]"
          }
        },
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "principalId": {
              "type": "string"
            }
          },
          "variables": {},
          "resources": [
            // Role: Reader
            {
              "type": "Microsoft.Authorization/roleAssignments",
              "apiVersion": "2018-09-01-preview",
              "name": "[guid(parameters('principalId'), 'Subscription-Reader')]",
              "properties": {
                "principalId": "[parameters('principalId')]",
                "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
              }
            }
          ]
        }
      }
    }
  ],
}

Managed App deployment error:

{
    "status": "Failed",
    "error": {
        "code": "ApplianceDeploymentFailed",
        "message": "The operation to create appliance failed. Please check operations of deployment 'xxx' under resource group '/subscriptions/xxx/resourceGroups/mrg-xxx-20210727122758'. Error message: 'At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.'",
        "details": [
            {
                "code": "BadRequest",
                "message": "{\r\n  \"error\": {\r\n    \"code\": \"InvalidTemplateDeployment\",\r\n    \"message\": \"The template deployment failed with error: 'Authorization failed for template resource 'f8bc290b-5a10-5da9-a7c4-d2bd5b80cc2d' of type 'Microsoft.Authorization/roleAssignments'. The client '8b967430-badb-45ba-8d11-bca192994047' with object id '8b967430-badb-45ba-8d11-bca192994047' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/xxx/providers/Microsoft.Authorization/roleAssignments/f8bc290b-5a10-5da9-a7c4-d2bd5b80cc2d'.'.\"\r\n  }\r\n}"
            }
        ]
    }
}
Madhuraj Vadde
  • 1,099
  • 1
  • 5
  • 13
Matthieu Maitre
  • 422
  • 3
  • 15
  • How do you deploy this template ? through a devops pipeline ? – Thomas Jul 28 '21 at 22:37
  • The Managed App is deployed through Azure Portal in Managed applications center. Behind the scene ARM runs some sort of background process which deploys this ARM template. – Matthieu Maitre Jul 28 '21 at 22:45

1 Answers1

1

The Appliance Resource Principal is the resource principal that does the deployments for the managed application. It has owner permissions only on the managed resource group and does not have any other permissions outside the resource group on the customers tenant.

To achieve this scenario the customer needs to first grant access to the managed application to do these Role assignments. They can do this by adding an msi on the managed application and granting that msi permissions outside the managed resource group. When the appliance resource principal does the deployments it will include any permissions that the msi on the managed application has during the deployments.

Please see here for details on how the msi can be included during deployment of the managed application : https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-managed-identity#linking-existing-azure-resources

suhasrao
  • 73
  • 2