Azure Question posted in
The official documentation to get you started can be found here.

Azure – got 'InvalidCreateRoleAssignmentRequest' error when doing the role assignment

What I try to do is to assign the Storage Blob Data Contributor role to one of my Function App so that the function app can access to the storage account and download file from the container. the code I written is

    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2020-10-01-preview",
      "name": "[guid(variables('functionAppName'), 'storageAccountAccessRole')]",
      "dependsOn": [
        "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
      ],
      "properties": {
        "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'xxxxxxxxxxxxxxx')]", // Storage Blob Data Contributor
        "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2021-01-15', 'full').identity.principalId]",
        "scope": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Storage/storageAccounts/', parameters('StorageAccountName'))]"
      }
    }

I also tried

    {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2020-10-01-preview",
        "name": "[guid(variables('functionAppName'), 'storageAccountAccessRole')]",
        "dependsOn": [
            "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
        ],
        "properties": {
            "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'xxxxxxxxxxxxxxxxxxxx')]", // Storage Blob Data Contributor
            "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2021-01-15', 'full').identity.principalId]",
            "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]"
        }
    }

but they all return ##[error]InvalidCreateRoleAssignmentRequest: The request to create role assignment 'xxxxxxxxxxxxxx' is not valid. Role assignment scope '/subscriptions/yyyyyyyyyyyy/resourceGroups/zzzzzzz-rg/providers/Microsoft.Storage/storageAccounts/StorageAccountName' must match the scope specified on the URI '/subscriptions/yyyyyyyyyyy/resourcegroups/zzzzzzzz-rg'. both of these two resources are under same Resource group, any hint or ideas? I had reviewed some other similar questions on the stack overflow like Getting issue The request to create role assignment 'xxxx–x-x-x–x-x-x-xxxxxxx' is not valid. Role assignment scope must match the scope specified And RBAC assignment via ARM template errors out with InvalidCreateRoleAssignmentRequest , if I change to the type to ‘microsoft.storage/storageAccounts/providers/roleAssignments’ it will get error as there is no such type, and for the scope I need resource like storage account or container, not subscript scope or resource group. And by reading error message, the URI is showing the scope is to resource group range, how could I change URI to resource range?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    the issue has been solved but is not the prefect solution for me. The main issue is getting issue is because the the scope for URI is for resource group, however the scope I set is for recourse itself. Once it change to the resource group range the problem is been solved


  2. 0

    Scope should be outside

    {
    "type": "Microsoft.Authorization/roleAssignments",
    "apiVersion": "2022-04-01",
    "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('accountName'))]",
    "name": "[guid(variables('functionAppName'), 'storageAccountAccessRole')]",
    "properties": {
      "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
      "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2021-01-15', 'full').identity.principalId]",
      "principalType": "ServicePrincipal"
    },
    "dependsOn": [
      "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]",
      "[resourceId('Microsoft.Storage/storageAccounts', parameters('accountName'))]"
    ]
  }

    17d1049b-9a84-46fb-8f53-869881c3d3ab is the build-in storage account contributor role, it is a fixed value.

    Try using azure bicep it is much easier to code in the scenario, below is something what be similar to yours:

    param logicappName string = 'xxx'

param keyVaultName string = 'xxx'

resource keyvault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
  name: keyVaultName
}

resource logicapp 'Microsoft.Logic/workflows@2019-05-01' existing = {
  name: logicappName
}

resource roleAssign 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(logicappName, 'saRoleAssign')
  scope: keyvault
  properties: {
    principalId: logicapp.identity.principalId
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','17d1049b-9a84-46fb-8f53-869881c3d3ab')
    // roleDefinitionId: contributorRoleDefinition.id
    principalType: 'ServicePrincipal'
  }
}


// resource contributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-05-01-preview' existing = {
//   scope: subscription()
//   name: '17d1049b-9a84-46fb-8f53-869881c3d3ab' 
// }

// // using comments-out also works
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search