Azure: Assign Roles via ARM Template to storage container

I'm trying to assign the role "Storage Blob Data Contributor (Preview)" to a specific storage container via arm template. But I just can't figure out the correct syntax.

This is what I have:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "principalId": {
            "type": "string",
            "metadata": {
                "description": "The principal to assign the role to"
            }
        },
        "builtInRoleType": {
            "type": "string",
            "allowedValues": [
                "Contributor",
                "Reader",
                "StorageBlobDataContributor"
            ],
            "metadata": {
                "description": "Built-in role to assign"
            }
        }
    },
    "variables": {
        "apiVersion": "2017-05-01",
        "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
        "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
        "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
        "StorageBlobDataContributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
        "TestVariable": "[concat('STORAGEACCOUNTNAME','/Microsoft.Authorization/',guid(subscription().subscriptionId))]"
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
            "apiVersion": "[variables('apiVersion')]",
            "name": "[variables('TestVariable')]",
            "properties": {
                "roleDefinitionId": "[variables('Reader')]",
                "principalId": "[parameters('principalId')]"
            }
        },
        {
            "type": "Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/blobServices/containers/blobCONTAINERNAME/providers/Microsoft.Authorization/roleAssignments",
            "apiVersion": "[variables('apiVersion')]",
            "name": "STORAGEACCOUNTNAME/blobServices/containers/default/blobCONTAINERNAME/Microsoft.Authorization/NEW-GUID",
            "properties": {
                "roleDefinitionId": "[variables('StorageBlobDataContributor')]",
                "principalId": "[parameters('principalId')]"
            }
        }
    ],
    "outputs": {}
}

I can attach the reader role to the storage account itself succesfully. But for the container I get the following error:

    new-AzResourceGroupDeployment : 09:21:24 - Error: Code=InvalidTemplate; Message=Deployment template validation failed: 'The template resource
'STORAGEACCOUNTNAME/blobServices/containers/CONTAINERNAME/Microsoft.Authorization/GUID' for type
'Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/blobServices/default/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments' at line '44' and column '9' has incorrect
segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see
https://aka.ms/arm-template/#resources for usage details.'.

I have tried so many ways trying to attach the role, that I out of idea's. Can someone help me?

How do I grant access to Azure Blob container?

To allow or disallow public access for a storage account in the Azure portal, follow these steps: Navigate to your storage account in the Azure portal. Locate the Configuration setting under Settings. Set Blob public access to Enabled or Disabled.

Can ARM template update existing resource?

ARM template willnot recreate/overwrite the existing resource, if the resource is specified in the template. It will update the resource if the property values for a resource are changed.

you need to construct something like this:

resourceId/Microsoft.Authorization/roleAssignments/NEW-GUID

and resourceId is normally being constructed as

type: provider/namespace
name: name

provider/namespace/name

for example, for subnet it would be (notice it takes 1 segment from each line in turn, except for the first one, first one is always 2 segments):

type: microsoft.network/virtualnetworks/subnets
name: vnetName/subnetName

microsoft.network/virtualnetworks/vnetName/subnets/subnetName

if that is even possible it would look like something like this:

"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"

Microsoft.Storage/storageAccounts/STORAGEACCOUNTNAME/containers/CONTAINERNAME/providers/Microsoft.Authorization/roleAssignments/NEW-GUID

Made some little adjustments:

"type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
"name": "STORAGEACCOUNTNAME/default/CONTAINERNAME/Microsoft.Authorization/NEW-GUID"

This way I can assign roles on the container itself. Thanks 4c74356b41 for pointing me in the right direction

Azure: Assign Roles via ARM Template to storage container

Tags:

azure

azure-blob-storage

arm-template

azure-storage-account

Erik

People also ask

2 Answers

4c74356b41

Erik

Recent Activity

Donate For Us

Azure: Assign Roles via ARM Template to storage container

Tags:

azure

azure-blob-storage

arm-template

azure-storage-account

Erik

People also ask

2 Answers

4c74356b41

Erik

Related questions

Recent Activity

Donate For Us