I'm trying to assign the role "Storage Blob Data Contributor (Preview)" to a specific storage container via arm template. But I just can't figure out the correct syntax.
This is what I have:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "The principal to assign the role to"
}
},
"builtInRoleType": {
"type": "string",
"allowedValues": [
"Contributor",
"Reader",
"StorageBlobDataContributor"
],
"metadata": {
"description": "Built-in role to assign"
}
}
},
"variables": {
"apiVersion": "2017-05-01",
"Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
"StorageBlobDataContributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
"TestVariable": "[concat('STORAGEACCOUNTNAME','/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
"apiVersion": "[variables('apiVersion')]",
"name": "[variables('TestVariable')]",
"properties": {
"roleDefinitionId": "[variables('Reader')]",
"principalId": "[parameters('principalId')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/blobServices/containers/blobCONTAINERNAME/providers/Microsoft.Authorization/roleAssignments",
"apiVersion": "[variables('apiVersion')]",
"name": "STORAGEACCOUNTNAME/blobServices/containers/default/blobCONTAINERNAME/Microsoft.Authorization/NEW-GUID",
"properties": {
"roleDefinitionId": "[variables('StorageBlobDataContributor')]",
"principalId": "[parameters('principalId')]"
}
}
],
"outputs": {}
}
I can attach the reader role to the storage account itself succesfully. But for the container I get the following error:
new-AzResourceGroupDeployment : 09:21:24 - Error: Code=InvalidTemplate; Message=Deployment template validation failed: 'The template resource
'STORAGEACCOUNTNAME/blobServices/containers/CONTAINERNAME/Microsoft.Authorization/GUID' for type
'Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/blobServices/default/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments' at line '44' and column '9' has incorrect
segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see
https://aka.ms/arm-template/#resources for usage details.'.
I have tried so many ways trying to attach the role, that I out of idea's. Can someone help me?
To allow or disallow public access for a storage account in the Azure portal, follow these steps: Navigate to your storage account in the Azure portal. Locate the Configuration setting under Settings. Set Blob public access to Enabled or Disabled.
ARM template willnot recreate/overwrite the existing resource, if the resource is specified in the template. It will update the resource if the property values for a resource are changed.
you need to construct something like this:
resourceId/Microsoft.Authorization/roleAssignments/NEW-GUID
and resourceId is normally being constructed as
type: provider/namespace
name: name
provider/namespace/name
for example, for subnet it would be (notice it takes 1 segment from each line in turn, except for the first one, first one is always 2 segments):
type: microsoft.network/virtualnetworks/subnets
name: vnetName/subnetName
microsoft.network/virtualnetworks/vnetName/subnets/subnetName
if that is even possible it would look like something like this:
"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"
Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments/NEW-GUID
Made some little adjustments:
"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"
This way I can assign roles on the container itself. Thanks 4c74356b41 for pointing me in the right direction
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With