0

Getting no permission to add Azure roles to the account message.

I am trying to add Azure role assignments to the storage account. I am creating a function app in bicep, and the next step after that is, I want to add the 'Storage Blob Data Owner' role for that application.

This is being executed in Github via github action with a bicep script.

Authorization failed for template resource 'guid' of type 'Microsoft.Authorization/roleAssignments'. The client 'client id' with object id 'client id' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions//resourceGroups/rg-

So the solution is to add create a custom role which has the write persmission, but how do i add that custom role to the function app in bicep

resource roleAssignmentStorage 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { name: guid(subscription().id, principalId, roleDefinitionResourceId) properties: { roleDefinitionId: roleDefinitionResourceId principalId: principalId principalType: 'ServicePrincipal' } }

I dont know how to assign the custom RBAC role i created

Bobby Jose
  • 1
  • 4

2 Answers2

1

Isn't the error coming from the fact that whatever user/application is executing this Bicep template does not have rights to set RBAC permissions? To assign RBAC permissions in your Bicep template, the principal executing the template needs either the User Access Administrator role or Owner role on the resource/resource group/subscription.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • az ad sp create-for-rbac --name --role contributor --scopes /subscriptions/subcriptionId --sdk-auth ... i used this command to create a service principal, and save the credentials i get back saved as github secret. So this is service principal used to execute the bicep script in github. How do i add a custom role to this service principal – Bobby Jose Dec 11 '22 at 18:13
  • https://learn.microsoft.com/en-us/answers/questions/287573/authorization-failed-when-when-writing-a-roleassig.html – Bobby Jose Dec 11 '22 at 18:15
  • that link is what i am trying to follow as solution, i dont know how to assign that created role to the service principal... like where do i do that in portal or cli – Bobby Jose Dec 11 '22 at 18:16
  • You can do it either in portal or CLI. Add a role assignment through Access Control (IAM) tab of resource/resource group/subscription. Search for an Application when assigning the role. – juunas Dec 12 '22 at 09:17
  • But this is running from github repo, so there is no app here. The service principal needs that access. Found the solution though. Actually now i understand what that link explains – Bobby Jose Dec 12 '22 at 18:12
0

https://learn.microsoft.com/en-us/answers/questions/287573/authorization-failed-when-when-writing-a-roleassig.html

This is the answer i was looking for. Once you create the custom role, as mentioned in the link, you need to create the new credentials using the a new service principal. Like:

az ad sp create-for-rbac --name newServicePrincipal --role 'custom contributor' --scopes /subscriptions/id --sdk-auth

The output of this needs to be saved as the new Azure credentials in your Github Repo, thats how the service principal which runs the github actions gets linked to the custom contributor. I missed that part.

Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
Bobby Jose
  • 1
  • 4