0

I am using devops build pipeline (yaml script) to provide access to the objects. The keyvault access permission is working where as the role assignment is not working. Please help.

Write-Host "The daf id is - " $ObjId

working command

Set-AzKeyVaultAccessPolicy -VaultName "$(KVName)" -ObjectId "$ObjId" -PermissionsToSecrets get,list,set -PermissionsToKeys get,list -PermissionsToCertificates get,list -BypassObjectIdValidation

NOT working command

New-AzRoleAssignment -ObjectId "$ObjId" -Scope "/subscriptions/52765179-b8e9-7b3c-a1ff-d32646hdd3a/resourceGroups/rg-DataPlatform/providers/Microsoft.Storage/storageAccounts/dsstore" -RoleDefinitionName "Contributor"

Error Details

Prasant Nanda
  • 1
  • 3
  • Can you provide what is the Object ID or what error message you are receiving? – DreadedFrost Jun 18 '21 at 13:19
  • The object id is the id of the datafactory. Through the script I am trying to provide access to the datalake. The access of ADF to keyvault is working here. But, the Role assignment is throwing error "Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown" – Prasant Nanda Jun 18 '21 at 18:55

1 Answers1

0

When using New-AzRoleAssignment, it will also call the AAD Graph API to verify the object in your AAD tenant.

To solve the issue, navigate to the AAD App of your service connection, add the Application permission Directory.Read.All of Azure Active Directory Graph like below.

Note: Not Microsoft Graph and not Delegated permission.

enter image description here

enter image description here

enter image description here

Here is a similar issue I answered before for your reference.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • If my reply is helpful, please accept it as answer(click on the mark option beside the reply to toggle it from greyed out to fill in.), see https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work This can be beneficial to other community members. Thank you. – Joy Wang Jun 21 '21 at 01:56
  • Thanks for your response. I will follow the steps. The challenge is that we have limited access / scope to do the changes. The Devops login is different and the login to the customer azure portal is different. We have got the subscriptions and the plan is to create all the required services and permissions by the devops (build pipeline). We are creating services like ResourceGroup, DataLake, Data Factory, SQL DB, Key Vault, DataBricks, FunctionApps etc and all necessary permissions to interact with each other. – Prasant Nanda Jun 24 '21 at 20:10