Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure: Assign Roles via ARM Template to storage container

I'm trying to assign the role "Storage Blob Data Contributor (Preview)" to a specific storage container via arm template. But I just can't figure out the correct syntax.

This is what I have:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "string",
            "metadata": {
                "description": "The principal to assign the role to"
            }
        },
        "builtInRoleType": {
            "type": "string",
            "allowedValues": [
                "Contributor",
                "Reader",
                "StorageBlobDataContributor"
            ],
            "metadata": {
                "description": "Built-in role to assign"
            }
        }
    },
    "variables": {
        "apiVersion": "2017-05-01",
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "StorageBlobDataContributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
        "TestVariable": "[concat('STORAGEACCOUNTNAME','/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
            "apiVersion": "[variables('apiVersion')]",
            "name": "[variables('TestVariable')]",
            "properties": {
                "roleDefinitionId": "[variables('Reader')]",
                "principalId": "[parameters('principalId')]"
            }
        },
        {
            "type": "Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/blobServices/containers/blobCONTAINERNAME/providers/Microsoft.Authorization/roleAssignments",
            "apiVersion": "[variables('apiVersion')]",
            "name": "STORAGEACCOUNTNAME/blobServices/containers/default/blobCONTAINERNAME/Microsoft.Authorization/NEW-GUID",
            "properties": {
                "roleDefinitionId": "[variables('StorageBlobDataContributor')]",
                "principalId": "[parameters('principalId')]"
            }
        }
    ],
    "outputs": {}
}

I can attach the reader role to the storage account itself succesfully. But for the container I get the following error:

    new-AzResourceGroupDeployment : 09:21:24 - Error: Code=InvalidTemplate; Message=Deployment template validation failed: 'The template resource
'STORAGEACCOUNTNAME/blobServices/containers/CONTAINERNAME/Microsoft.Authorization/GUID' for type
'Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/blobServices/default/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments' at line '44' and column '9' has incorrect
segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see
https://aka.ms/arm-template/#resources for usage details.'.

I have tried so many ways trying to attach the role, that I out of idea's. Can someone help me?

like image 426
Erik Avatar asked Mar 08 '19 08:03

Erik


People also ask

How do I grant access to Azure Blob container?

To allow or disallow public access for a storage account in the Azure portal, follow these steps: Navigate to your storage account in the Azure portal. Locate the Configuration setting under Settings. Set Blob public access to Enabled or Disabled.

Can ARM template update existing resource?

ARM template willnot recreate/overwrite the existing resource, if the resource is specified in the template. It will update the resource if the property values for a resource are changed.


2 Answers

you need to construct something like this:

resourceId/Microsoft.Authorization/roleAssignments/NEW-GUID

and resourceId is normally being constructed as

type: provider/namespace
name: name

provider/namespace/name

for example, for subnet it would be (notice it takes 1 segment from each line in turn, except for the first one, first one is always 2 segments):

type: microsoft.network/virtualnetworks/subnets
name: vnetName/subnetName

microsoft.network/virtualnetworks/vnetName/subnets/subnetName

if that is even possible it would look like something like this:

"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"

Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments/NEW-GUID
like image 196
4c74356b41 Avatar answered Oct 26 '22 22:10

4c74356b41


Made some little adjustments:

"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"

This way I can assign roles on the container itself. Thanks 4c74356b41 for pointing me in the right direction

like image 37
Erik Avatar answered Oct 26 '22 23:10

Erik