How to assign an application role to a managed identity in the ARM template

时间秒杀一切 提交于 2020-12-15 06:17:23

问题


I have the following scenario.
My application registration defines a set of application roles
I dynamically deploy a scaleset with a System assigned managed identity via ARM template
During the deployment i want to assign that identity to one of the specific application role defined above

I update my deployment template with the following resource

   {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2017-09-01",
            "name": "<random Guid>",
            "dependsOn": [
                "[concat('Microsoft.Compute/virtualMachineScaleSets/', '<scaleset name>')]"
            ],
            "properties": {
                
                "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '<app role guid>')]",
                "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachineScaleSets', '<scaleset name>'), '2019-07-01', 'Full').Identity.principalId]",
                "scope": "[resourceGroup().id]"
            }
}

However the deployment fails with the following exception

The specified role definition with ID '<app role guid>' does not exist.

My assumption is that the application role definition id is no correctly formatted but i could not find any examples of this kind approle assignment in an ARM template.

Is this even possible ?


回答1:


here is an example of how you would do this https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal

you will need to add a principalType of Serviceprincipal, this is because as per the docs, there can easily be a delay when creating a new serviceprincipal, so it will fail if you don't do this.

Edit: I'm sorry, i didn't realize you were trying to do an app role assignment. I don't believe this is currently supported in arm templates. the rbac roles that you can assign using roleassignment are not app roles. eg. you cannot assign app roles in an arm template currently only for azure built in roles for azure resources, not for apps or azure ad roles. for reference https://github.com/MicrosoftDocs/azure-docs/issues/51914#issuecomment-612867662

the only way you may be able to work around and do something like this is probably through a deployment script that runs powershell commands in the arm template if at all possible.



来源:https://stackoverflow.com/questions/63080623/how-to-assign-an-application-role-to-a-managed-identity-in-the-arm-template

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!