0

What I try to do is to assign the Storage Blob Data Contributor role to one of my Function App so that the function app can access to the storage account and download file from the container. the code I written is

    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2020-10-01-preview",
      "name": "[guid(variables('functionAppName'), 'storageAccountAccessRole')]",
      "dependsOn": [
        "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'xxxxxxxxxxxxxxx')]", // Storage Blob Data Contributor
        "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2021-01-15', 'full').identity.principalId]",
        "scope": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Storage/storageAccounts/', parameters('StorageAccountName'))]"
      }
    }

I also tried

    {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2020-10-01-preview",
        "name": "[guid(variables('functionAppName'), 'storageAccountAccessRole')]",
        "dependsOn": [
            "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
        ],
        "properties": {
            "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'xxxxxxxxxxxxxxxxxxxx')]", // Storage Blob Data Contributor
            "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2021-01-15', 'full').identity.principalId]",
            "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]"
        }
    }

but they all return ##[error]InvalidCreateRoleAssignmentRequest: The request to create role assignment 'xxxxxxxxxxxxxx' is not valid. Role assignment scope '/subscriptions/yyyyyyyyyyyy/resourceGroups/zzzzzzz-rg/providers/Microsoft.Storage/storageAccounts/StorageAccountName' must match the scope specified on the URI '/subscriptions/yyyyyyyyyyy/resourcegroups/zzzzzzzz-rg'. both of these two resources are under same Resource group, any hint or ideas? I had reviewed some other similar questions on the stack overflow like Getting issue The request to create role assignment 'xxxx--x-x-x--x-x-x-xxxxxxx' is not valid. Role assignment scope must match the scope specified And RBAC assignment via ARM template errors out with InvalidCreateRoleAssignmentRequest , if I change to the type to 'microsoft.storage/storageAccounts/providers/roleAssignments' it will get error as there is no such type, and for the scope I need resource like storage account or container, not subscript scope or resource group. And by reading error message, the URI is showing the scope is to resource group range, how could I change URI to resource range?

Improve this question
0

2 Answers 2

Reset to default
0

the issue has been solved but is not the prefect solution for me. The main issue is getting issue is because the the scope for URI is for resource group, however the scope I set is for recourse itself. Once it change to the resource group range the problem is been solved

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Scope should be outside

{
    "type": "Microsoft.Authorization/roleAssignments",
    "apiVersion": "2022-04-01",
    "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('accountName'))]",
    "name": "[guid(variables('functionAppName'), 'storageAccountAccessRole')]",
    "properties": {
      "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
      "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2021-01-15', 'full').identity.principalId]",
      "principalType": "ServicePrincipal"
    },
    "dependsOn": [
      "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]",
      "[resourceId('Microsoft.Storage/storageAccounts', parameters('accountName'))]"
    ]
  }

17d1049b-9a84-46fb-8f53-869881c3d3ab is the build-in storage account contributor role, it is a fixed value.

Try using azure bicep it is much easier to code in the scenario, below is something what be similar to yours:

param logicappName string = 'xxx'

param keyVaultName string = 'xxx'

resource keyvault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
  name: keyVaultName
}

resource logicapp 'Microsoft.Logic/workflows@2019-05-01' existing = {
  name: logicappName
}

resource roleAssign 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(logicappName, 'saRoleAssign')
  scope: keyvault
  properties: {
    principalId: logicapp.identity.principalId
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','17d1049b-9a84-46fb-8f53-869881c3d3ab')
    // roleDefinitionId: contributorRoleDefinition.id
    principalType: 'ServicePrincipal'
  }
}


// resource contributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-05-01-preview' existing = {
//   scope: subscription()
//   name: '17d1049b-9a84-46fb-8f53-869881c3d3ab' 
// }

// // using comments-out also works
Improve this answer

1 Comment

Moving the scope outside did not fix the issue for me, same error as before.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.