-1

I'm trying to assign RBAC role "Reader" to a list of users in subscription level. When I try to do it for one user ARM template works. But for list of users it gives this error.

InvalidRoleAssignmentId: The role assignment ID 'u4ttmsjymtpe21' is not valid. The role assignment ID must be a GUID. InvalidRoleAssignmentId: The role assignment ID 'u4ttmsjymtpe20' is not valid. The role assignment ID must be a GUID.

Here's the code I used:

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
    "principalId": {
        "type": "array"
    },
    "builtInRoleType": {
        "type": "string"
    },
      "guidValue": {
        "type": "string"
    }
},
"variables": {
    "unique_string":"[uniqueString(parameters('guidValue'))]",
    "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
},
"resources": [
    {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2018-09-01-preview",
        "name": "[concat(variables('unique_string'),copyIndex())]",
        "copy": {
            "name": "useridLoop",
            "count": "[length(parameters('principalId'))]"
            },
        "properties": {
            "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
            "principalId": "[parameters('principalId')[copyIndex()]]"
        }
    }
]

}

This is the parameter file:

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
    "principalId": {
        "value": [
            "b5*****c-****-****-****-c*****0*****",
            "e******d-****-****-****-b*****b*****"
        ]
    },
    "builtInRoleType": {
        "value":  "Reader"
    },
    "guidValue": {
        "value": "[newGuid()]"
    }
}

}

old_timer
  • 69,149
  • 8
  • 89
  • 168
User0102
  • 1

1 Answers1

0

InvalidRoleAssignmentId: The role assignment ID 'u4ttmsjymtpe21' is not valid. The role assignment ID must be a GUID. InvalidRoleAssignmentId: The role assignment ID 'u4ttmsjymtpe20' is not valid. The role assignment ID must be a GUID.

Instead of passing the [newGuid()] as value to the parameter, you need to pass it as a default value to the parameter. Because of this, you were landed up with the above error message.

We have made some changes to the above-shared template & tried deploying the modified template, we are able to assign the users as 'Reader' to the subscription.

Here is the Modified ARM template:

{
   "$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
   "contentVersion":"1.0.0.0",
   "parameters":{
      "principalId":{
         "type":"array"
      },
      "name":{
         "type":"string",
         "defaultValue":"[newGuid()]"
      }
   },
   "variables":{
      "Reader":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
   },
   "resources":[
      {
         "type":"Microsoft.Authorization/roleAssignments",
         "apiVersion":"2018-09-01-preview",
         "name":"[guid(concat(parameters('name'),copyIndex()))]",
         "copy":{
            "name":"useridLoop",
            "count":"[length(parameters('principalId'))]"
         },
         "properties":{
            "roleDefinitionId":"[variables('Reader')]",
            "principalId":"[parameters('principalId')[copyIndex()]]"
         }
      }
   ]
}

Here is the parameter.json file:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "principalId": {
      "value": [
          <object-id of the users>
      ]
    }
}
}

Here is the sample output for reference:

enter image description here

enter image description here

VenkateshDodda
  • 4,723
  • 1
  • 3
  • 12