Azure DevOps pipeline error: Tenant ID, application ID, principal ID, and scope are not allowed to be updated

Question

I try to create SQL Server with ARM on Azure DevOps. Pipeline successfully create SQL Server resource to Azure Portal, but I'm getting strange errors in Azure DevOps. Why this occurs and how to fix?

ERROR:

There were errors in your deployment. Error code: DeploymentFailed.
##[error]RoleAssignmentUpdateNotPermitted: Tenant ID, application ID, principal ID, and scope are not 
allowed to be updated.
##[error]Check out the troubleshooting guide to see if your issue is addressed: 
https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment? 
view=azure-devops#troubleshooting
##[error]Task failed while creating or updating the template deployment.

YML:

task: AzureResourceManagerTemplateDeployment@3
  inputs:
    deploymentScope: 'Resource Group'
    azureResourceManagerConnection: 'TestRG-Conn'
    subscriptionId: '1111753a-501e-4e46-9aff-6120ed561111'
    action: 'Create Or Update Resource Group'
    resourceGroupName: 'TestRG'
    location: 'North Europe'
    templateLocation: 'Linked artifact'
    csmFile: '$(System.DefaultWorkingDirectory)/CreateSQLServer/azuredeploy.json'
   csmParametersFile: 
'$(System.DefaultWorkingDirectory)/CreateSQLServer/azuredeploy.parameters.json'
    deploymentMode: 'Incremental'

VARIABLE IN TEMPLATE:

"variables": {
"StorageBlobContributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '111111111111111111111-')]"

},

RESOURCE IN TEMPLATE:

"resources": [
        {
         "condition": "[parameters('enableADS')]",
         "type": 
"Microsoft.Storage/storageAccounts/providers/roleAssignments",
          "apiVersion": "2018-09-01-preview",
          "name": "[concat(variables('storageName'), 
'/Microsoft.Authorization/', variables('uniqueRoleGuid') )]",
           "dependsOn": [
             "[resourceId('Microsoft.Sql/servers', 
 parameters('serverName'))]",
             "[resourceId('Microsoft.Storage/storageAccounts', 
 variables('storageName'))]"
          ],
           "properties": {
            "roleDefinitionId": "[variables('StorageBlobContributor')]",
             "principalId": "[reference(resourceId('Microsoft.Sql/servers', 
 parameters('serverName')), '2018-06-01-preview', 
  'Full').identity.principalId]",
             "scope": "[resourceId('Microsoft.Storage/storageAccounts', 
 variables('storageName'))]",
             "principalType": "ServicePrincipal"
           }
         }

Answer 1

Chances are you have deployed and deleted the resources, however, the role assignment is still there and that is what it is clashing with (what 4c7... is saying). So, go check the permissions on the storage account - if you use managed identities, that identity will be deleted but the role assignment will persists and show the user as 'unknown' which will also cause the above error when trying to deploy again - had the same issue but with a managed identity I was using for an aks cluster. Frustrating.

When you deleted a managed identity it does not delete associated roles created for it, I wish it cleaned up properly.

Answer 2

In my case, it was the name of the RoleAssignment. It was unique on the Resource Group level but not on the subscription level. Not sure what is the scope for the uniqueness of the name.