In an earlier post on provisioning a Let’s encrypt SSL certificate to a Web App, I touched upon the subject of creating an RBAC Role Assignment using an ARM template. In that post I said that I wasn’t able to provision an Role Assignment to a just single resource (opposed to a whole Resourcegroup.) This week I found out that this was due to an error on my side. The template for provisioning an Authorizaton Rule for just a single resource, differs from that for provisioning a Rule for a whole Resourcegroup.
Here the correct JSON for provisioning an Role Assignment to a single resource:
{
"type": "Microsoft.Web/sites/providers/roleAssignments",
"apiVersion": "2015-07-01",
"name": "[concat(parameters('appServiceName'), '/Microsoft.Authorization/', parameters('appServiceContributerRoleGuid'))]",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', parameters('appServiceName'))]"
],
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "[parameters('appServiceContributorObjectId')]"
}
},
As Ohad correctly points out in the comments the appServiceContributerRoleGuid, should be a unique Guid generated by you. It does not refer back to a Guid of any predefined role.
In contrast, below find the JSON for provisioning an Authorizaton Rule for a Resourcegroup as a whole. To provision a roleAssignment for a single resource, we do not need to set a more specific scope, but completely leave it out. Instead the roleAssignment has to be nested within the resource it applies to. This is visible when comparing the type, name and scope properties of both definitions.
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2015-07-01",
"name": "[parameters('appServiceContributerRoleName')]",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', parameters('appServiceName'))]"
],
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"principalId": "[parameters('appServiceContributorObjectId')]",
"scope": "[concat(subscription().id, '/resourceGroups/', resourceGroup().name)]"
}
}
Great stuff!
1. Would be great if you could link to the appropriate docs docs for this. Specifically the ones that explain Microsoft.Web/sites/providers/roleAssignments, or really the more general case of Microsoft.Foo/Bar/providers/roleAssignments.
2. I would clarify the constraints on the name, i.e. that it has to be {resourceName}/Microsoft.Authorization/{uniqueRoleAssignmentGuid}. Specifically, when you write appServiceContributerRoleGuid it’s confusing, because one might mistakenly think they should use the known role GUIDS (e.g. b24988ac-6180-42a0-ab88-20f7382dd24c).
Thanks,
Ohad
Hey Ohad,
Thank you. You are right that the Guid might be confusing, so I added a sentence there. As for documentation, the documentation in this area is kind of lacking. The above is the result of a lot of Googling, trying, looking at API calls and finding out the specific differences. There is not a single thing I can point to as my source unfortunately.
Henry
Thanks for your post, the name format and the scope are the keys to solve my problem. Thanks for your inspiration.