Question 103054 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – Assign subscription owner using arm template

What needs to be changed in the arm template below in order for it to add subscription owner role to the given principal id?

The problem we are getting is that the following arm template and invocation command are assigning unintended resource group owner and NOT the desired subscription owner.

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "principalId": {
        "type": "string",
        "metadata": {
          "description": "principalId if the user that will be given contributor access to the resourceGroup"
        }
      },
      "roleDefinitionId": {
        "type": "string",
        "defaultValue": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
        "metadata": { "description": "roleDefinition for the assignment - default is owner" }
      }
    },
    "variables": {
      "roleAssignmentName": "[guid(subscription().id, parameters('principalId'), parameters('roleDefinitionId'))]"
    },
    "resources": [
      {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2020-08-01-preview",
        "name": "[variables('roleAssignmentName')]",
        "properties": {
          "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
          "principalId": "[parameters('principalId')]"
        }
      }
    ]
}

The command we are running to invoke the above template is:

az deployment group create --resource-group myRgName --template-file myTemplateName.json --parameters principalId=<service-principal-id>

The user account that is running the preceding cli command is subscription owner and thus has permissions to assign another subscription owner.

Tags:

2

Answers


  1. 0

    The deployment you are initiating is with a resource group scope, not with a subscription scope.

    For more information on the "az" command set, look at the documentation over HERE.

    For more information about the role assignment, take a look at the documentation over HERE (Look at the section about "az deployment sub create")

    az deployment sub create –location centralus –template-file rbac-test.json –parameters principalId=$objectid builtInRoleType=Reader

    Login or Signup to reply.
  2. 0

    The problem we are getting is that the following arm template and invocation command are assigning unintended resource group owner and NOT the desired subscription owner.

    I have used below ARM template to assign the role to Subscription.

     {
"$schema":  "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion":  "1.0.0.0",
"parameters":  {
"principalId":  {
"type":  "string",
"metadata":  {
"description":  "The principal to assign the role to"
}
},
"builtInRoleType":  {
"type":  "string",
"allowedValues":  [
"Owner"
],
"metadata":  {
"description":  "Built-in role to assign"
}
},
"roleNameGuid":  {
"type":  "string",
"defaultValue":  "[newGuid()]",
"metadata":  {
"description":  "A new GUID used to identify the role assignment"
}
}
},
"variables":  {
"Owner":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"Contributor":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Reader":  "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
},
"resources":  [
{
"type":  "Microsoft.Authorization/roleAssignments",
"apiVersion":  "2022-04-01",
"name":  "[parameters('roleNameGuid')]",
"properties":  {
"roleDefinitionId":  "[variables(parameters('builtInRoleType'))]",
"principalId":  "[parameters('principalId')]"
}
}
]
}

    Here is the Azure CLI command to assign the owner role to subscription.

    $objectid  ="user-object-id"
az deployment sub create --location centralus --template-file owner.json --parameters principalId=$objectid builtInRoleType=Owner

    Output:

    enter image description here

    Reference: Resource group or subscription scope

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search