I'm trying to add the Service Bus Receiver role to a User Assigned Managed Identity via an ARM template.
i.e. this role. https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azure-service-bus-data-receiver
Here is the template
// User Assigned Managed Identity
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2018-11-30",
"name": "MyManagedIdentity",
"location": "[resourceGroup().location]",
},
// User Assigned Managed Identity Role
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[guid(resourceGroup().id)]",
"dependsOn": [
"[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/','MyManagedIdentity')]"
],
"properties": {
"roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'MyManagedIdentity'), '2018-11-30').principalId]",
}
},
and it's return this error.
Status Message: Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (Code:RoleAssignmentUpdateNotPermitted)
I'm not sure what is wrong.
I've looked at this quickstart. https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-role-assignments-template
The principalId should be from the managed identity i would think. and the roleDefinitionId from the id of the service bus role.