Getting no permission to add Azure roles to the account message.
I am trying to add Azure role assignments to the storage account. I am creating a function app in bicep, and the next step after that is, I want to add the 'Storage Blob Data Owner' role for that application.
This is being executed in Github via github action with a bicep script.
Authorization failed for template resource 'guid' of type 'Microsoft.Authorization/roleAssignments'. The client 'client id' with object id 'client id' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions//resourceGroups/rg-
So the solution is to add create a custom role which has the write persmission, but how do i add that custom role to the function app in bicep
resource roleAssignmentStorage 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { name: guid(subscription().id, principalId, roleDefinitionResourceId) properties: { roleDefinitionId: roleDefinitionResourceId principalId: principalId principalType: 'ServicePrincipal' } }
I dont know how to assign the custom RBAC role i created
CodePudding user response:
Isn't the error coming from the fact that whatever user/application is executing this Bicep template does not have rights to set RBAC permissions? To assign RBAC permissions in your Bicep template, the principal executing the template needs either the User Access Administrator role or Owner role on the resource/resource group/subscription.
CodePudding user response:
This is the answer i was looking for. Once you create the custom role, as mentioned in the link, you need to create the new credentials using the a new service principal. Like : az ad sp create-for-rbac --name newServicePrincipal --role 'custom contributor' --scopes /subscriptions/id --sdk-auth
The output of this needs to be saved as the new Azure credentials in your Github Repo, thats how the service principal which runs the github actions gets linked to the custom contributor. I missed that part.