Managed Identity Azure Role Assignments?

1
votes

I'm trying to add the Service Bus Receiver role to a User Assigned Managed Identity via an ARM template.

i.e. this role. https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azure-service-bus-data-receiver

enter image description here

Here is the template

    // User Assigned Managed Identity

    {
        "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
        "apiVersion": "2018-11-30",
        "name": "MyManagedIdentity",
        "location": "[resourceGroup().location]",
    },

    // User Assigned Managed Identity Role

    {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2020-04-01-preview",
        "name": "[guid(resourceGroup().id)]",
        "dependsOn": [
            "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/','MyManagedIdentity')]"
        ],
        "properties": {
            "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
            "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'MyManagedIdentity'), '2018-11-30').principalId]",
        }
    },

and it's return this error.

Status Message: Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (Code:RoleAssignmentUpdateNotPermitted)

I'm not sure what is wrong.

I've looked at this quickstart. https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-role-assignments-template

The principalId should be from the managed identity i would think. and the roleDefinitionId from the id of the service bus role.

1
azureazure-managed-identityazure-role-environment

1 Answers

0
votes

The issue that you are facing is when you deploy the ARM template for first time the identity is recently created that has not yet been fully replicated so you might notice that the security principal (user, group, service principal, or managed identity) is listed as Identity not found with an Unknown type.

enter image description here

And when you try to update the same Role assignment by redeploying the template it gives you error "Tenant ID, application ID, principal ID, and scope are not allowed to be updated" because role assignment with the same ID already exists and it does not allow to update it.

Better option would be you first create the identity with separate template and then create the role assignment. And for Azure Service Bus Data Receiver, ID in the template should be:

/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0

Please refer this documentation for details.

enter image description here