How to do a role assignment for the resourcegroup with arm templates

0
votes

I have tried

{
  "apiVersion": "2016-07-01",
  "name": "[concat(resourceGroup().name,'/Microsoft.Authorization/',variables('principalId'))]",
  "type": "Microsoft.Authorization/roleAssignments",
  "properties": {
    "roleDefinitionId": "[variables('owner')]",
    "principalId": "[parameters('msi').principalId]",
    "scope": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name)]"
  }
},

but it gives the following error

Deployment template validation failed: 'The template resource 'sf-gateway/Microsoft.Authorization/5e60879d-b9c0-4e11-9548-9d92ed244eef' for type 'Microsoft.Authorization/roleAssignments' at line '1' and column '3432' has incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage details.'. (Code: InvalidTemplate)

I dont fully understand whats needed to be changed.

I want to give the principal ownership over the resourcegroup

2
azureazure-resource-manager

2 Answers

1
votes

I want to give the principal ownership over the resourcegroup

You could get the template demo code from this link. If you create the template with VS you could get it directly from the template. It works correctly for me.

enter image description here azuredeploy.json

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "principalId": {
      "type": "string",
      "metadata": {
        "description": "The principal to assign the role to"
      }      
    },
    "builtInRoleType": {
      "type": "string",
      "allowedValues": [
        "Owner",
        "Contributor",
        "Reader"
      ],
      "metadata": {
        "description": "Built-in role to assign"
      }      
    },
    "roleNameGuid": {
      "type": "string",
      "metadata": {
        "description": "A new GUID used to identify the role"
      }      
    }
  },
  "variables": {
    "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
    "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
    "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
    "scope": "[resourceGroup().id]"
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/roleAssignments",
      "apiVersion": "2017-05-01",
      "name": "[parameters('roleNameGuid')]",
      "properties": {
        "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
        "principalId": "[parameters('principalId')]",
        "scope": "[variables('scope')]"
      }
    }
  ]
}

azuredeploy.parameters.json

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "principalId": {
      "value": "principalId"
    },
    "builtInRoleType": {
      "value": "Owner"
    },
    "roleNameGuid": {
      "value": "Guid name"
    }
  }
}

Test Result:

enter image description here

0
votes

The error is happening because the name has more segments, i.e. components demarcated with a slash, than the type, as explained in more detail here: Resolve errors for invalid template.

There's a related discussion here; if you can get the GUID for the resource and pass that in for name, it will have fewer segments than the type.