Azure devops pipeline for deploying event grid, which consist of resources from 2 different azure subscriptions

0
votes

I have two subscriptions: development and prod. I want to deploy event grid on existing azure account storage from development subscription, but with triggered existing azure function app from prod subscription. I have for it proper arm template, which normally works when I point to resources inside one azure subscription. Of course I have proper separated service principles with service connections (Azure Resource Manager) in azure devops for deploying resources. When I use prod service connection then I have problem with write access to account storage and when I use dev service connection I have problem with write access on azure function.

Can I omit it somehow or achieve other way?

1
azureazure-devopsazure-functionsarm-templateazure-eventgrid

1 Answers

1
votes

To solve this issue, you need to use a service connection whose service principal has permissions for both the dev subscription and prod subscription.

For example, you use the prod service connection, then navigate to the storage account of the dev subscription/dev subscription directly in the portal -> add an RBAC role e.g. Contributor to the service principal like below.

enter image description here

You can also use the dev service connection, navigate to the function app in prod subscription/prod subscription directly to grant the role like above. Or you can create a new service connection, grant both the roles, it depends on you.