0

My template is below along with an error which does not make sense since scope seems to be in correct order and it's allowed to use this notation per (https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/create)

    {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2017-05-01",
        "name": "[ guid(resourceGroup().id, 'windowsserverstorage')]",
        "dependsOn": ["[variables('storageaccountname')]"],
        "properties": {
            "roleDefinitionId": "[variables('Contributor')]",
            "principalId": "063fe2f0-7448-48e4-8661-dbb4e9f85d39",
            "scope": "/subscriptions/24ba3e4c-45e3-4d55-8132-6731ca25547f/resourceGroups/MyDemo/providers/Microsoft.Storage/storageAccounts/wkstorage2pzpd"
        }
    }   ,

Error is below 

Resource Microsoft.Authorization/roleAssignments '1aed14fd-8f7c-5636-989b-7c134b353fcc' failed with message '{
  "error": {
    "code": "InvalidCreateRoleAssignmentRequest",
    "message": "The request to create role assignment '1aed14fd-8f7c-5636-989b-7c134b353fcc' is not valid. Role assignment scope 
'/subscriptions/24ba3e4c-45e3-4d55-8132-6731cf25547f/resourceGroups/myDemo/providers/Microsoft.Storage/storageAccounts/wkstorage2pzpd' must match the scope specified on the URI 
'/subscriptions/24ba3e4c-45e3-4d55-8132-6731cf25547f/resourcegroups/myDemo'."
  }
}'

If I try to assign a different way like below then different error is being thrown

{
        "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
    "apiVersion": "2017-05-01",
    "name": "[concat('wkstorage2pzpd/blobServices/default/networkadmins', '/Microsoft.Authorization/', guid(resourceGroup().id, '1231'))]",
    "dependsOn": [
            "[variables('storageaccountname')]"
    ],
    "properties": {
        "roleDefinitionId": "[variables('Contributor')]",
        "principalId": "063fe2f0-7448-48e4-8661-dbb4e9f85d39"
    }
},

Error

The template resource 
'wkstorage2pzpd/blobServices/default/Microsoft.Authorization/a4b69ebe-d58c-5309-9385-0a2e26d343a3' for type 'Microsoft.Storage/storageAccounts/providers/roleAssignments' at line '179' and column '9' has incorrect segment lengths. 
A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage 
details.'.
Improve this question

3 Answers 3

Reset to default
2

If you want to assign a role to the service principal in the storage account level, try the template as below, it works fine on my side.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "String",
            "metadata": {
                "description": "The principal to assign the role to"
            }
        },
        "builtInRoleType": {
            "allowedValues": [
                "Owner",
                "Contributor",
                "Reader"
            ],
            "type": "String",
            "metadata": {
                "description": "Built-in role to assign"
            }
        }
    },
    "variables": {
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "TestVariable": "[concat('YourStorageAccountName','/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
            "name": "[variables('TestVariable')]",
            "apiVersion": "2017-05-01",
            "properties": {
                "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
                "principalId": "[parameters('principalId')]"
            }
        }
    ]
}

enter image description here

Besides, if you want to assign the role in the Container level, see this link.

{
            "type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
            "apiVersion": "[variables('apiVersion')]",
            "name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID",
            "properties": {
                "roleDefinitionId": "[variables('StorageBlobDataContributor')]",
                "principalId": "[parameters('principalId')]"
            }
        }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

In addition to Joy's answer you may use below template as well, which works fine for me.

Parameters template:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "principalId": {
      "value": "xxxxxxxxxxxxxxxxxxxxxxxx"
    },
    "builtInRoleType": {
      "value": "xxxxxxxxxxx"
    },
    "roleNameGuid": {
      "value": "xxxxxxxxxxxxxxxxxxxxxxxx"
    },
    "storageAccountName": {
      "value": "xxxxxxxxxxxxxxxxxxxxxxxx"
    }
  }
}

Main template:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "principalId": {
      "type": "string",
      "metadata": {
        "description": "The principal to assign the role to"
      }      
    },
    "builtInRoleType": {
      "type": "string",
      "allowedValues": [
        "Owner",
        "Contributor",
        "Reader"
      ],
      "metadata": {
        "description": "Built-in role to assign"
      }      
    },
    "roleNameGuid": {
      "type": "string",
      "metadata": {
        "description": "A new GUID used to identify the role"
      }      
    },
    "storageAccountName": {
        "type": "string",
        "metadata": {
            "description": "Name of the storage account"
        }
    }
  },
  "variables": {
    "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
    "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
    "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
    "resourceName": "[concat(parameters('storageAccountName'), '/Microsoft.Authorization/', parameters('roleNameGuid'))]"

  },
  "resources": [
    {
      "type": "/Microsoft.Storage/storageAccounts/providers/roleAssignments",
      "apiVersion": "2017-05-01",
      "name": "[variables('resourceName')]",
      "properties": {
        "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
        "principalId": "[parameters('principalId')]"
      }
    }
  ]
}
Improve this answer

Comments

0

He is attempting to create a role assignment at the level/scope of the resource itself.

If you verify the selected answer with this --> Az role assignment list --all You will see that (with the selected answer) you are setting the scope to the resource group not the resource itself. The answer given is wrong. Right?

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.