user identity role assignment runs fine but does show in the portal

Question

I am trying to automate my role assignment, and I am using this arm template

{
"$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
    "serviceName": {
    "type": "string",
    "metadata": {
        "desciption": "nameof the microService"
        }
    },
    "environment": {
        "type": "string",
        "metadata": {
            "description": "nameof enviroment"
        }
    },
    "databaseType": {
        "type": "string",
        "defaultValue":"settings"
    }
},
"variables": {
    "databaseName":"[concat('cosdb',parameters('serviceName'), parameters('environment'), parameters('databaseType'))]",
    "identityName":"[concat('id', parameters('environment'), parameters('serviceName'))]",
    "roleAssignmentId": "[guid(concat(resourceGroup().id, variables('databaseName')))]",
    "roleDefinitionId":"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', variables('databaseName'), '00000000-0000-0000-0000-000000000002')]"
},
"resources": [
        {
            "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
            "apiVersion": "2021-05-15",
            "name": "[concat(variables('databaseName'), '/', variables('roleAssignmentId'))]",
            "properties": {
                "roleDefinitionId": "[variables('roleDefinitionId')]",
                "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName')), '2018-11-30').principalId]",
                "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', variables('databaseName'))]"
        }
    }
]

}

which runs without issue, but when i look in the portal no roles is assigned,how do i fix it?

score 0 · Answer 1 · answered Mar 09 '22 at 08:34

0

Please check if you need to give subscription Id for the role in the managed identity in roledefinitionId and roleAssignmentId. Try concat with subscription Id and location if needed.

'/subscriptions/', subscription().subscriptionId ,

Also if taken from roleDefinitions include providers in role definitionId '/providers/Microsoft.Authorization/roleDefinitions/'

References

answered Mar 09 '22 at 08:34

kavyaS

8,026
1
7
19

they are scoped to the resouce group, which works without issue using resourceId(),which adds the subsciption and resouce ids, and it actually works for the sdk but it doesn't show in the portal which is odd – EnenDaveyBoy Mar 10 '22 at 15:21
Please check if you have minimum access or permissions to assign roles. [User access administrator](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator) or [role administrator](https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task#roles-and-administrators) or owner – kavyaS Mar 13 '22 at 18:41
i couldn't get it to work so have moved to CLI, but sometimes that doesn't work and i have to just use the portal – EnenDaveyBoy Apr 02 '22 at 22:30

user identity role assignment runs fine but does show in the portal

1 Answers1