How to Terraform assignment of Azure User Managed Identity to a storage account?

Question

I'm trying to grant an Azure 'User Assigned Managed Identity' permissions to an Azure storage account via Terraform.

I'm struggling to find the best way to do this - any ideas would be much appreciated!

Background: I'm looking to deploy HDInsights and point it at a Data Lake Gen2 storage account. For the HDInsights deployment to succeed it needs to reference a Managed Identity that has 'Storage Blob Data Owner' permissions to the storage account.

I can successfully create the storage account and Managed Identity via Terraform. However, I'm stuck on the best way to assign the Managed Identity to the storage account.

Joy Wang-MSFT Joy Wang-MSFT · Accepted Answer · 2019-05-02T02:07:17

If you create a Managed Identity, it essentially creates a service principal in your tenant. So you could use azurerm_role_assignment to assign the service principal as a Storage Blob Data Owner role to the storage account.

data "azurerm_subscription" "primary" {}

data "azurerm_client_config" "test" {}

resource "azurerm_role_assignment" "test" {
  scope                = "${data.azurerm_subscription.primary.id}"
  role_definition_name = "Reader"
  principal_id         = "${data.azurerm_client_config.test.service_principal_object_id}"
}

The sample assigns the role at the subscription scope, for your case, just change the scope to the storage account, role_definition_name to Storage Blob Data Owner, the principal_id is the Object ID of your Managed Identity(service principal).

How to Terraform assignment of Azure User Managed Identity to a storage account?

1 Answers